-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_iam_user_login_profile without PGP #18749
Comments
@akingscote In my opinion, this seems like a valid use case. In automated situations and test environments, especially with the |
Possibly related #12384 |
Yes, we need this! |
We got tripped up on this too but due to gpg 2.3.0 using ed25519/cv25519 as the new default (https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/000458.html) which is incompatible with terraform-provider-aws and throws errors like "creation: Error encrypting Password: error parsing given PGP key: openpgp: unsupported feature: unsupported oid: 2b060104019755010501". A ticket that was (#15384) reported to fix this incompatibility was closed as won't fix due to the fact it uses encryption and according to the Terraform docs explicitly state that PGP was a failed experiment and should no longer be used (https://www.terraform.io/docs/extend/best-practices/sensitive-state.html#don-39-t-encrypt-state). There needs to be a plain-text alternative much like aws_iam_access_key. |
it has not been resolved yet, is there any other way to create a user without the keybase pgp key? |
@bestrocker221 Technically you can still create a user (aws_iam_user) without a profile, but it won't have a password until someone manually enables login in the Console UI. When you create the user you probably want the |
@bestrocker221 I ended up creating a little application in golang which just creates a login profile. I then call that with
happy to share the app if it helps |
Is it a terrible idea to do something like this? The idea is the aws cli is run to create an initial password only when a new user is created and then you can hand that off to the user via some out of band method. Only issue that I see is logs. State has no details of the password.
|
I'd like to create a
aws_iam_user_login_profile
resource without the need for PGP.I understand the security risks, but for my use case I want to provision user login profiles in a sandbox environment using automated methods, which I dont want the overhead of using PGP.
I feel that the PGP approach should be recommended, but not mandated for use.
I can have a stab at implementing it myself, but I dont want to waste time if the functionality is intentionally left out and not approved.
Community Note
Description
The ability to either provide a string password to the
aws_iam_user_login_profile
or at least not have any dependencies on PGP or a public store like keybase.New or Affected Resource(s)
Potential Terraform Configuration
Potentially the configuration could be a case of omitting the
pgp_key
field.or even specify the password in configuration. perhaps this would be better as we can allow the password to come from external sources (like a secret in a key vault).
References
https://github.com/hashicorp/terraform-provider-aws/blob/main/aws/resource_aws_iam_user_login_profile.go
The text was updated successfully, but these errors were encountered: