Syncplicity Support

Search our knowledgebase to get the help you need, today

Submit a request

Related articles
Follow

Password provider setup

The role of the password provider is to provide a securely-stored keystore password during the Storage Connector startup. The password is provided in a way which doesn't expose it to users with root permissions and access to the Storage Connector instance.

Storage Connector deployed in AWS

Below are the steps to configure and enable the aws_provider for the case the Storage Connector is hosted in AWS.

  1. Install awscli and jq packages (required by AWS password provider). Note that jq requires EPEL repository, which is already enabled in the Storage Connector 3.x versions.
    yum install awscli jq

  2. Copy the following content to /usr/lib/syncp-storage/security/providers/aws_provider

    #########################################################################################
    #
    # AWS password provider.
    #
    # Requires the following parameters to be set:
    #
    # AWS_PROVIDER_ROLE - the name of IAM role of this instance,
    # granting a permission to access AWS SSM Parameter Store.
    # AWS_PROVIDER_REGION - the name of the AWS region where your instance resides.
    # AWS_PROVIDER_ALIAS - the name of the parameter, which contains the desired password.
    #
    #########################################################################################

    # Checks the parameter presence. Available to use in the providers.
    #
    # $1 - parameter name.
    function check_parameter() {
    if [ -z "${!1}" ]
    then
    echo "Parameter $1 is required, but not set!"
    exit 1
    fi
    }

    # Checks the executable presence. Available to use in the providers.
    #
    # $1 - parameter name.
    # $2 - hint message to be printed if executable is not present.
    function check_executable() {
    if ! command -v "$1" > /dev/null
    then
    echo "The program $1 is required, but not installed!"
    echo "$2"
    exit 1
    fi
    }

    function aws_unauthenticate() {
    unset AWS_SECRET_ACCESS_KEY
    unset AWS_SESSION_TOKEN
    unset AWS_ACCESS_KEY_ID
    }

    # Authenticates using Instance Role.
    # See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials
    function aws_authenticate() {

    # As per AWS docs, only one role may be assigned to instance at a time (i.e. only one line will return in the response).
    local aws_role
    aws_role=$(curl -s 169.254.169.254/latest/meta-data/iam/security-credentials/)
    if [ $? -ne 0 ] || [ -z "$aws_role" ]
    then
    echo "Could not obtain AWS instance role!"
    exit 1
    fi

    local aws_cred
    aws_cred=$(curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials/$aws_role")
    if [ $? -eq 0 ]
    then
    export AWS_ACCESS_KEY_ID="$(echo "$aws_cred" | jq -r .AccessKeyId)"
    export AWS_SECRET_ACCESS_KEY="$(echo "$aws_cred" | jq -r .SecretAccessKey)"
    export AWS_SESSION_TOKEN="$(echo "$aws_cred" | jq -r .Token)"
    else
    echo "Failed to obtain AWS credentials for role $AWS_PROVIDER_ROLE. Aborting..." 1>&2
    exit 1
    fi
    }

    # Provider entry point.
    function get_keystore_passwd() {
    check_executable aws "Install AWS CLI tools by running 'yum install awscli'."
    check_executable jq "Install jq by running 'yum install jq'. Note: this package is available only in EPEL repository."

    check_parameter AWS_PROVIDER_ALIAS

    aws_authenticate

    local aws_region
    aws_region=$(curl -s 169.254.169.254/latest/meta-data/placement/availability-zone | sed -r 's/[a-z]{1}$//')
    if [ $? -ne 0 ] || [ -z "$aws_region" ]
    then
    echo "Could not obtain AWS instance region!"
    exit 1
    fi

    local pass=$(aws --region "$aws_region" ssm get-parameter --with-decryption --name "$AWS_PROVIDER_ALIAS" | jq -r ".Parameter.Value")

    aws_unauthenticate

    echo "$pass"
    }

  3. Fix the permissions and ownership of the file:
    chown syncp-storage:syncp-storage /usr/lib/syncp-storage/security/providers/aws_provider
    chmod 0600 /usr/lib/syncp-storage/security/providers/aws_provider
  4. Configure Storage Connector to use aws_provider. In /etc/syncp-storage/syncp-storagerc file the following variables have to be uncommented and set:
    PASS_PROVIDER=aws_provider
    AWS_PROVIDER_ALIAS=keystore_parameter
  5. Enable AWS password provider:
    1. Create an AWS IAM role with read-only access to the AWS SSM Parameter Store. Assign this role to the Storage Connector AWS instance.
    2. Create an encrypted parameter in the AWS SSM Parameter Store. The name of this parameter must match the value of AWS_PROVIDER_ALIAS in syncp-storagerc and the value must contain the keystore password.
      aws ssm put-parameter --name keystore_parameter --type SecureString --value $KEYSTORE_PASSWORD

Additional security configuration in AWS

When using aws_provider in AWS environment, the following security precautions should be taken:

  1. AWS instance role requires only one grant: ssm:GetParameter. All other accesses should be forbidden for this role.

  2. It is mandatory to limit AWS instance role SSM access to a single parameter, which is owned by this application. This may be done by employing the AWS IAM resource-based policies. For example, the following policy allows access only to the parameter named JKSCR:

    {
        "Version""2012-10-17",
        "Statement": [
            {
                "Sid""VisualEditor0",
                "Effect""Allow",
                "Action""ssm:GetParameter",
                "Resource": [
                    "arn:aws:ssm:$REGION:$ACCOUNT_ID:parameter/JKSCR"
                ]
            }
        ]
    }

  3. You may use different custom KMS keys for different applications, instead of the default one (Master Key). To do so, you first need to create a custom key in KMS, then create the desired parameter in SSM specifying this key as the encryption key. Finally, set the IAM instance role as a user of this key to allow this instance using this key for decryption.

When all these precautions are taken, different applications using the same aws_provider logic are isolated and protected from each other.

Storage connector deployed in ESXi or similar hypervisor

At this time, we cannot offer out-of-the box solution for the case the Storage Connector is deployed in ESXi or similar hypervisor. It's up to the administrators to provide or implement such solution. A possible scenario is to have the password guarded in a password vault or have it encrypted using an HSM and implement scripts that will have it decrypted and provided during the Storage Connector startup.

File password provider

For demo/experimental purposes, a file password provider is included in the Storage Connector installation. It allows storing the keystore password in a separate file in plain text. This is not a true secure solution, but helps understand the password provisioning logic. Here are the steps to configure the provider:

  1. Store the password in a text file. Here's an example:
    echo "keystorepassword" > /etc/syncp-storage/keystore.config
  2. Fix the permissions and ownership of the file:
    chown syncp-storage:syncp-storage /etc/syncp-storage/keystore.config
    chmod 0600 /etc/syncp-storage/keystore.config
  3. Enable and configure the file_provider: open /etc/syncp-storage/syncp-storagerc file and make sure that the following variables are uncommented and set:
    PASS_PROVIDER=file_provider
    FILE_PROVIDER_PATH=/etc/syncp-storage/keystore.config
Powered by Zendesk