4

When creating a new RDS instance on AWS via the aws cli tools, is it possible to use a master password which is encrypted with an AWS KMS key? E.g. using this command: http://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html

I'm asking because I don't want to store clear text passwords in my dev environment (using terraform or cloud formation), instead encrypted values which are transparently decrypted by the according AWS components.

derFunk
  • 1,587
  • 2
  • 20
  • 31

1 Answers1

7

If you wanted to do this with the CLI you could always encrypt the password with a KMS key and then run two commands to decrypt the password and create the database.

So something like this might work:

aws rds create-instance ... \
--master-username admin-user \
--master-user-password `aws kms decrypt --ciphertext-blob fileb://path/to/kms/encrypted/file/with/password --output text --query Plaintext | base64 --decode`

If you wanted to still use Terraform for creating your database instances then I've previously answered a question along similar lines. Although that question is more concerned around the database being stored in a remote state file.

If you were equally concerned about keeping the password in your code then I'd consider simply using a variable for your password and then passing that in on the CLI or using an environment variable.

Equally you could use the aws_kms_secret data source to decrypt your password on the fly. That will leak the password to logs and state files though:

$ echo -n 'master-password' > plaintext-password
$ aws kms encrypt \
> --key-id ab123456-c012-4567-890a-deadbeef123 \
> --plaintext fileb://plaintext-example \
> --encryption-context foo=bar \
> --output text --query CiphertextBlob
AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==

And then in Terraform:

data "aws_kms_secret" "db" {
  secret {
    name    = "master_password"
    payload = "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ=="

    context {
      foo = "bar"
    }
  }
}

resource "aws_rds_cluster" "rds" {
  master_username = "root"
  master_password = "${data.aws_kms_secret.db.master_password}"

  # ...
}
Emii Khaos
  • 9,983
  • 3
  • 34
  • 57
ydaetskcoR
  • 53,225
  • 8
  • 158
  • 177
  • Thanks for your answer Rocksteady! I tried the `aws_kms_secret` already but this doesn't work as expected, I asked the devs to clarify on the documentation here: https://github.com/hashicorp/terraform/issues/12800. This would indeed be my preferred way when using Terraform. I'm still researching it. – derFunk Mar 17 '17 at 15:07
  • If that's not working for you then, as mentioned, you could run a shell script that grabs the decrypted plaintext from an encrypted file and exports it as an environment variable to be used by Terraform when it runs. – ydaetskcoR Mar 17 '17 at 15:09
  • Yet the interesting point here is: You cannot simply pass an encrypted password to RDS along with the Key ID and expect RDS to decrypt it transparently for the according use case, correct? – derFunk Mar 18 '17 at 07:11
  • Correct but that's because AWS' APIs don't support that (yet). – ydaetskcoR Mar 18 '17 at 07:12