The role of the password provider is to provide a securely-stored keystore password during the Storage Connector startup. The password is provided in a way which doesn't expose it to users with root permissions and access to the Storage Connector instance.
Storage Connector deployed in AWS
Below are the steps to configure and enable the aws_provider for the case the Storage Connector is hosted in AWS.
Install
awscli
andjq
packages (required by AWS password provider). Note thatjq
requires EPEL repository, which is already enabled in the Storage Connector 3.x versions.yum
install
awscli jq
- Copy the following content to
/usr/lib/syncp-storage/security/providers/aws_provider
- Fix the permissions and ownership of the file:
chown
syncp-storage:syncp-storage /usr/lib/syncp-storage/security/providers/aws_provider
chmod
0600 /usr/lib/syncp-storage/security/providers/aws_provider
- Configure Storage Connector to use
aws_provider.
In/etc/syncp-storage/syncp-storagerc
file the following variables have to be uncommented and set:
PASS_PROVIDER=aws_providerAWS_PROVIDER_ALIAS=keystore_parameter
- Enable AWS password provider:
- Create an AWS IAM role with read-only access to the AWS SSM Parameter Store. Assign this role to the Storage Connector AWS instance.
- Create an encrypted parameter in the AWS SSM Parameter Store. The name of this parameter must match the value of
AWS_PROVIDER_ALIAS
insyncp-storage
rc
and the value must contain the keystore password.aws ssm put-parameter --name keystore_parameter --
type
SecureString --value $KEYSTORE_PASSWORD
Additional security configuration in AWS
When using aws_provider
in AWS environment, the following security precautions should be taken:
AWS instance role requires only one grant:
ssm:GetParameter
. All other accesses should be forbidden for this role.It is mandatory to limit AWS instance role SSM access to a single parameter, which is owned by this application. This may be done by employing the AWS IAM resource-based policies. For example, the following policy allows access only to the parameter named
JKSCR
:{
"Version"
:
"2012-10-17"
,
"Statement"
: [
{
"Sid"
:
"VisualEditor0"
,
"Effect"
:
"Allow"
,
"Action"
:
"ssm:GetParameter"
,
"Resource"
: [
"arn:aws:ssm:$REGION:$ACCOUNT_ID:parameter/JKSCR"
]
}
]
}
- You may use different custom KMS keys for different applications, instead of the default one (Master Key). To do so, you first need to create a custom key in KMS, then create the desired parameter in SSM specifying this key as the encryption key. Finally, set the IAM instance role as a user of this key to allow this instance using this key for decryption.
When all these precautions are taken, different applications using the same aws_provider
logic are isolated and protected from each other.
Storage connector deployed in ESXi or similar hypervisor
At this time, we cannot offer out-of-the box solution for the case the Storage Connector is deployed in ESXi or similar hypervisor. It's up to the administrators to provide or implement such solution. A possible scenario is to have the password guarded in a password vault or have it encrypted using an HSM and implement scripts that will have it decrypted and provided during the Storage Connector startup.
File password provider
For demo/experimental purposes, a file password provider is included in the Storage Connector installation. It allows storing the keystore password in a separate file in plain text. This is not a true secure solution, but helps understand the password provisioning logic. Here are the steps to configure the provider:
- Store the password in a text file. Here's an example:
echo "keystorepassword" > /etc/syncp-storage/keystore.config
- Fix the permissions and ownership of the file:
chown
syncp-storage:syncp-storage
/etc/syncp-storage/keystore
.config
chmod
0600
/etc/syncp-storage/keystore
.config
- Enable and configure the file_provider: open
/etc/syncp-storage/syncp-storagerc
file and make sure that the following variables are uncommented and set:PASS_PROVIDER=file_provider
FILE_PROVIDER_PATH=
/etc/syncp-storage/keystore
.config