1

So i am trying to figure out how to NOT display my password once its gets passed on to OS from cloudformation. So first i am using below on my cloudformation script, with "NoEcho" the password that i put in is started out...

"DBPASS" : { "NoEcho" : "true", "Description" : "Password for oracle user", "Type" : "String", "MinLength" : "1", "MaxLength" : "20" },

then in the user data section of my cloud formation i do below to set the password for oracle user. But the problem is that the user is echo'ed out to the boot.log/cloud-init.log so the password is visible...i am trying to hide the password so its not seen in the logs.

"DBPASS=", { "Ref": "DBPASS" }, "\n",

"echo -e \"$DBPASS\n$DBPASS\" | passwd $oracle\n",

Then i was thinking of doing something like below but not sure how to pass in "DBPASS" variable to the input twice..

stty -echo read DBPASS stty echo

My Goal is to set the password for oracle user without echoing out to the logs...

max scalf
  • 329
  • 1
  • 8
  • 19
  • adding a bit more detail will help the readers of this question to help you. what I get: It sounds like DBPASS is a parameter to the cloudformation template. It also sounds like you are using the DBPASS parameter in the cloudinit part of the template to configure an user oracle that you will later use. Have you tried redirecting the STDOUT and STDERR from that specific command to /dev/null ? – Mircea Oct 07 '15 at 18:37
  • @Mircea yeah i have tried STDOUT to /dev/null for ""DBPASS=", { "Ref": "DBPASS" }, "\n"," portion but for me to set the set the password for the oracle user i have to use the echo -e command...until and unless there is another way – max scalf Oct 08 '15 at 15:24
  • can you share the actual piece of template and logs you are seeing? (remove the password obviously) – Mircea Oct 08 '15 at 15:27

2 Answers2

0

If you need to protect sensitive information from being readable from within your EC2 instance, then you shouldn't put it in your user-data boot script at all, regardless of whether it's being stored as part of Cloud-init's default log output, because the user-data script will still always be readable as part of the instance metadata.

Refer to this Important note in the Instance Metadata and User Data section of the EC2 documentation:

Important

Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. Therefore, you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data, such as passwords, as user data.

As one alternate approach to sensitive data, you could upload the content to a private S3 bucket, then download it to the EC2 instance using aws s3 cp from your user-data script. See my answer to the question, How can I (securely) download a private S3 asset onto a new EC2 instance with cloudinit? for more details on this approach.

Community
  • 1
  • 1
wjordan
  • 19,770
  • 3
  • 85
  • 98
0

You can pass your DB credentials as Parameter from the command line. You will need to pass those credentials while launching the Cloudformation stack but will not be visible anywhere. Check out this templatewhere DB parameter are provided from parameter ('default' is not set in parameters. So, you have to pass them while launching your cloudformation stack)

Aniruddha J
  • 385
  • 4
  • 11