Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS: Using a KMS-encrypted master password to create a RDS instance

Tags:

mysql

amazon-web-services

amazon-rds

terraform

amazon-kms

When creating a new RDS instance on AWS via the aws cli tools, is it possible to use a master password which is encrypted with an AWS KMS key? E.g. using this command: http://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html

I'm asking because I don't want to store clear text passwords in my dev environment (using terraform or cloud formation), instead encrypted values which are transparently decrypted by the according AWS components.

like image 705
derFunk Avatar asked Mar 10 '23 14:03

derFunk

1 Answers

If you wanted to do this with the CLI you could always encrypt the password with a KMS key and then run two commands to decrypt the password and create the database.

So something like this might work:

aws rds create-instance ... \
--master-username admin-user \
--master-user-password `aws kms decrypt --ciphertext-blob fileb://path/to/kms/encrypted/file/with/password --output text --query Plaintext | base64 --decode`

If you wanted to still use Terraform for creating your database instances then I've previously answered a question along similar lines. Although that question is more concerned around the database being stored in a remote state file.

If you were equally concerned about keeping the password in your code then I'd consider simply using a variable for your password and then passing that in on the CLI or using an environment variable.

Equally you could use the aws_kms_secret data source to decrypt your password on the fly. That will leak the password to logs and state files though:

$ echo -n 'master-password' > plaintext-password
$ aws kms encrypt \
> --key-id ab123456-c012-4567-890a-deadbeef123 \
> --plaintext fileb://plaintext-example \
> --encryption-context foo=bar \
> --output text --query CiphertextBlob
AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==

And then in Terraform:

data "aws_kms_secret" "db" {
  secret {
    name    = "master_password"
    payload = "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ=="

    context {
      foo = "bar"
    }
  }
}

resource "aws_rds_cluster" "rds" {
  master_username = "root"
  master_password = "${data.aws_kms_secret.db.master_password}"

  # ...
}
like image 95
ydaetskcoR Avatar answered Apr 26 '23 10:04

ydaetskcoR
Sign in to Comment

Related questions

JPA: Foreign key constraint on delete
Count how many of each value from a field with MySQL and PHP
MySQL Statement extremely slow even with indexes
How to decrease the timeout for my python application connecting to mysql server
Convert characters to UTF8 in MySQL (é to é)
C# Dynamic SQL INSERT ... SELECT
Can't import database through phpmyadmin
Converting Numbers to Words in MYSQL result! Using Query
how to set unique primary key for all table in same database
utf8 collation difference between unicode and danish
How to check username and password case sensitive?
MySQL query between 2 dates fields
MySQL how to find parent with exact set of children?
How can I remove a value from an enum in mysql?
Different ORDER BY direction for MySql query results
mysql 5.6 foreign key constraint error; didn't occur in 5.5
Insert into MySQL Table PHP
How to count rows in one table based on another table in mysql
Split (explode) comma delimited column values to rows
Natural Sorting SQL ORDER BY

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!