access environment.yaml data from the hooks
Jorge Niedbalski
jorge.niedbalski at canonical.com
Fri Jul 11 12:14:21 UTC 2014
Hello,
On Fri, Jul 11, 2014 at 12:36 PM, Kapil Thangavelu
<kapil.thangavelu at canonical.com> wrote:
> On Fri, Jul 11, 2014 at 4:44 AM, Tudor Rogoz <rogoz at adobe.com> wrote:
>>
[...]
>>
>
> Juju doesn't allow for extraction of provider credentials from the state
> server as a security measure. Its typically much better to define these as
> charm config properties, because you can use a separate iam account that's
> permission scoped to the usage you want rather than proliferating a more
> privileged account. Even better is using iam roles
> (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
> with manual provisioning and workload placement (deploy --to) against the
> ec2 provider and avoiding the credential management entirely.
>
Also related, but not directly implied, there is a lost-in-time
mailing list thread regarding to secret configuration buckets (
https://lists.ubuntu.com/archives/juju/2014-May/003885.html )
I am not sure if somebody had a chance to work implementing a solution
like puppet-hiera ( http://docs.puppetlabs.com/hiera/1/)
or any other approach for sensitive data being used on configuration files.
Cheers
--
Jorge Niedbalski R.
More information about the Juju
mailing list