0

Cloud-init has the ability to compliment Terraform in configuring the Virtual Machine it just created. My problem is that cloud-init as uploaded through user-data means that the script especially if multi-part is available on the OpenStack metadata server.

This means any user on that virtual machine can get that user-data by simply running

curl http://169.254.169.254/latest/user-data

Is there anyway to pass secrets in a cloud-init file?

This is a follow up to "Is there a way to install a private key for a user with cloud-init?". There I ask a question which could conceivably be answered with a provisioner that doesn't use cloud-init at all. This question is more broad.

Evan Carroll
  • 2,921
  • 6
  • 37
  • 85

1 Answers1

0

This means any user on that virtual machine can get that user-data by simply running

curl http://169.254.169.254/latest/user-data

Correct

Is there anyway to pass secrets in a cloud-init file?

Some ideas to consider:

  • add a firewall rule at the end of initialization to limit access to 169.254.169.254
  • include a private key in the base image that can be used to decrypt encrypted content which is written via write-files or runcmd / bootcmd
  • include the secret directly in the base image, or via a drive that is attached during provisioning