Create Bucket-Limited Tokens for Each S3-Backed Volume Mount #28

New Issue

Open

opened 2023-08-21 15:07:20 +02:00 by so-rose · 0 comments

so-rose commented 2023-08-21 15:07:20 +02:00

Owner

We already create a dedicated S3 bucket each time an S3-backed volume is requested. However, currently, for simplicity, they all share one read-write token set which works for all buckets.

Not just each bucket, but each host's mount of each bucket, really ought to have its own dedicated token as well. For example, a host using a readonly-mounted rclone filesystem should only be given a read-only token set (ex. a #14 scheme), but the one host that needs the read-write rclone filesystem should instead be given a read-write token set.

Realizing this requires #24 to be tenable:

• Per-host token set generation should be done via the Cloudflare API, whenever an appropriate token/host set doesn't yet exist, in deploy_volume_s3.
• These tokens should be written to password-store (again, when they don't yet exist, or are expired) as a hot-path config, as described in #24.

We already create a dedicated S3 bucket each time an S3-backed volume is requested. However, currently, for simplicity, they all share one read-write token set which works for all buckets. Not just each bucket, but each host's mount of each bucket, really ought to have its own dedicated token as well. For example, a host using a `readonly`-mounted `rclone` filesystem should only be given a read-only token set (ex. a #14 scheme), but the one host that needs the read-write `rclone` filesystem should instead be given a read-write token set. Realizing this **requires** #24 to be tenable: - [ ] Per-host token set generation should be done via the Cloudflare API, whenever an appropriate token/host set doesn't yet exist, in `deploy_volume_s3`. - [ ] These tokens should be written to `password-store` (again, when they don't yet exist, or are expired) as a hot-path config, as described in #24.

so-rose added the

security

deployment-usability

labels 2023-08-21 15:07:20 +02:00

so-rose added this to the Refactor and Cleanup project 2023-08-21 15:07:21 +02:00

so-rose added a new dependency 2023-08-21 15:07:34 +02:00

#24 Configs/Secrets Bootstrapping & Management

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

v0.1.0

Labels

Clear labels   

availability

Something that can increase the uptime of services in a particular situation.   

bug

Something is not working, or not working right.   

deployment-usability

Related to the usability of the deployment method itself.   

duplicate

This issue or pull request already exists   

enhancement

Proposed enhancement or feature.   

help-wanted

Issue that needs help in order to be understood or tackled.   

question

More information is needed   

security

Related to the security or privacy of the system.   

stack-auth

Related to the auth stack.   

stack-chat

Related to the chat stack.   

stack-cleanup

Related to the cleanup stack.   

stack-git

Related to the git stack.   

stack-mesh

Related to the mesh stack.   

stack-site-support

Related to the site-support stack.   

wontfix

This won't be fixed, either by design, or due to other issues.

No Label

availability

bug

deployment-usability

duplicate

enhancement

help-wanted

question

security

stack-auth

stack-chat

stack-cleanup

stack-git

stack-mesh

stack-site-support

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Refactor and Cleanup

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Depends on

#24 Configs/Secrets Bootstrapping & Management

python-support/python-support-infra

Reference: python-support/python-support-infra#28

There is no content yet.