Sug*_*S N 3 amazon-web-services amazon-iam terraform
我是 terraform 创建的 IAM 用户的新手,使用以下 terraform 文件,但是当在 aws 控制台中看到时,它说控制台登录也未启用附加图像,请帮助如何启用密码。
resource "aws_iam_user" "lb" {
name = "${var.user_name}"
# path = "/system/"
# tags = {
# tag-key = "tag-value"
# }
}
resource "aws_iam_access_key" "lb" {
user = "${aws_iam_user.lb.name}"
}
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = "${aws_iam_user.lb.name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_user_login_profile" "u" {
user = "${aws_iam_user.lb.name}"
password_reset_required = true
pgp_key = "${base64encode(file("/Terraform_practice/iam_terra/oli.gpg.pubkey"))}"
# pgp_key = "keybase:deekshithsn"
}
output "password" {
value = "${aws_iam_user_login_profile.u.encrypted_password}"
}
var*_*nit 10
嗨,我发现了这个问题,要创建一个启用控制台登录的 Iam 用户,您需要在操作系统上安装密钥库以获取更多信息
然后您需要使用此命令在本地秘密钥匙串中创建一个 pgp 密钥
keybase pgp gen
然后将这个创建的密钥的引用添加到您的 terraform 文件中,如下所示
provider "aws" {
region = "us-east-1"
shared_credentials_file = "/home/username/.aws/credentials"
profile = "default"
}
resource "aws_iam_user" "u" {
name = "terraform"
path = "/"
force_destroy = true
}
resource "aws_iam_user_login_profile" "u" {
user = "${aws_iam_user.u.name}"
pgp_key = "keybase:your_keybase_username"
}
output "password" {
value = "${aws_iam_user_login_profile.u.encrypted_password}"
}
然后它做
terraform apply
然后 terraform 将以加密形式输出密码,需要使用以下命令解密
terraform output password | base64 --decode | keybase pgp decrypt
我已经测试过这个并且它工作正常让我知道它是否有帮助
我设法在不使用密钥库的情况下完成。我天真地传递了密钥 ID 而不是实际的公钥。
gpg --generate-key
gpg --export | base64 > public.gpg
然后在 Terraform 中:
resource "aws_iam_user_login_profile" "test-user" {
user = aws_iam_user.test-user.name
pgp_key = file("public.gpg")
}
output "password" {
value = aws_iam_user_login_profile.test-user.encrypted_password
}
解密密码:
# Just read the password = "uuu" - but remove the spaces and "quotes"
# So you get a bash variable called `password`
export $(terraform output | sed 's/ //g' | sed 's/"//g')
# Now read it
echo $password | base64 -d | gpg -d
编辑:我现在一直使用 gpg 并gpg --expert --full-gen-key选择 ECC secp256k1。我还没有用 terraform 尝试过这一点,但它生成的密钥和消息比 RSA 更小,我预计它会更安全,因为它与比特币使用的算法相同。
| 归档时间: |
|
| 查看次数: |
4990 次 |
| 最近记录: |