Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obfuscate secret values in .tfstate (e.g. aws_iam_access_key) #4436

Closed
ejoubaud opened this issue Dec 23, 2015 · 4 comments
Closed

Obfuscate secret values in .tfstate (e.g. aws_iam_access_key) #4436

ejoubaud opened this issue Dec 23, 2015 · 4 comments
Labels
core enhancement

Comments

@ejoubaud
Copy link

ejoubaud commented Dec 23, 2015
edited by apparentlymart
Loading

If I use the aws_iam_access_key module to generate access keys, they end up stored in plain text in terraform.tfstate and there doesn't seem to be a way around that.

Input:

resource "aws_iam_user" "users" {
  count = "${var.user_count}"
  name = "${lookup(var.usernames, count.index)}"
  path = "/"
}

resource "aws_iam_access_key" "users" {
  count = "${var.user_count}"
  user = "${element(aws_iam_user.users.*.name, count.index)}"
}

And now in the tfstate I have (dummy example):

...
                "aws_iam_access_key.users.1": {
                    "type": "aws_iam_access_key",
                    "depends_on": [
                        "aws_iam_user.users"
                    ],
                    "primary": {
                        "id": "AKIAJFHRCD3RDG6S56IA",
                        "attributes": {
                            "id": "AKIAJFHRCD3RDG6S56IA",
                            "secret": "...",
                            "ses_smtp_password": "...",
                            "status": "Active",
                            "user": "myusername"
                        }
                    }
                },
...

Keeping those keys around in plain text should arguably not be encouraged, not be the default and not be a requirement. There should at least be a way to exclude them from the full text plan or somehow encrypt them.
@ejoubaud ejoubaud mentioned this issue Dec 23, 2015
Closed
@ejoubaud
Copy link
Author

Also see related #4437

@ejoubaud ejoubaud changed the title Obfuscate secret output in .tfstate (e.g. aws_iam_access_key) Obfuscate secret values in .tfstate (e.g. aws_iam_access_key) Dec 23, 2015
@jen20
Copy link
Contributor

jen20 commented Jan 4, 2016

Hi @ejoubaud. Thanks for opening this issue! We have been aware of the need to deal with sensitive parts of the .tfstate for a while now - the first issue which addresses it is #516. It's also relevant to #1421. We have a major refactor here on the roadmap - for now we'll continue to update #516 as it develops, so I'll close this issue - if you'd like to track progress here please subscribe to #516! Thanks!

@jen20 jen20 closed this as completed Jan 4, 2016
@ejoubaud
Copy link
Author

ejoubaud commented Jan 5, 2016

Thanks @jen20, sorry I missed that one.

@ghost
Copy link

ghost commented Apr 29, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 29, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
core enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jen20 @ejoubaud