| 1 Jun 2022 |
 Mic92 | but roles you create in vault | 17:25:16 |
| Mic92 | I would need to hard code per region vault roles in my nixos modules | 17:25:39 |
| Mic92 | https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_auth_backend_role | 17:26:14 |
| Mic92 | Because one needs to set inferred_aws_region | 17:26:26 |
 @grahamc:nixos.org | ah, right | 17:26:56 |
| @grahamc:nixos.org | yeah so we've created multiple one per region of course | 17:27:03 |
| @grahamc:nixos.org | because instance profile ARNs are per region I think | 17:27:24 |
| Mic92 | I really should just have used client certs. | 17:27:50 |
| Mic92 | This is causing some much trouble down the line | 17:27:59 |
| @grahamc:nixos.org | still could :) but I've found the AWS methods very very worth it | 17:28:28 |
| @grahamc:nixos.org | but our instances are all ephemeral, and that makes it easy | 17:28:45 |
| Mic92 | This is definitely the last company I will setup this because they of their higher security needs. But otherwise the operational complexity is too high. One shouldn't need a devops just to maintain the security management. | 17:31:20 |
| @grahamc:nixos.org | we've found that once it is up and you have one project using it, extending it to the rest has been really easy and straight forward | 17:32:39 |
| @grahamc:nixos.org | but coming in to it without having used it and going from 0 to in production is definitely a very tall order | 17:32:49 |
| Mic92 | Documentation is severe lacking and the error message are not helpful. | 17:33:58 |
| @grahamc:nixos.org | I haven't personally found that to be true, but it may be that I come to it with some important background context | 17:34:20 |
| @grahamc:nixos.org | * I haven't personally found that to be true, but it is probable that I come to it with some important background context | 17:34:30 |
| Mic92 | They ask end-users to deal with Nonces. If you don't have a background in cryptography, this is just care-less | 17:38:48 |
| @grahamc:nixos.org | ah, yeah, that has to do with the otherwise insecure method that the deprecated aws-ec2 auth method uses | 17:39:06 |
| @grahamc:nixos.org | the iam method doesn't need it and is much safer | 17:39:14 |
| @grahamc:nixos.org | I guess the ec2 method isn't deprecated, but the iam approach is recommended in a way that feels like ec2 was deprecated | 17:41:47 |
| Mic92 | Yeah, than I would need to hard set the aws region in my instances somehow... | 17:48:44 |
| Mic92 | * Yeah, than I would need to set the aws region in my instances somehow to use iam... | 17:49:20 |
| @grahamc:nixos.org | why's that? | 17:51:11 |
| Mic92 | Because I would for each region a different vault role because of the inferred_aws_region option that I need to set for aws_auth_backend_role. | 17:58:39 |
| @grahamc:nixos.org | ah, gotcha | 17:58:47 |
| Mic92 | * Because I would need for each region a different vault role because of the inferred_aws_region option that I need to set for aws_auth_backend_role. | 17:59:13 |
| 2 Jun 2022 |
| Mic92 | Wow systemd-creds is actually quite cool. This could be used to secure ssh host keys in the initrd for remote unlocking: https://man7.org/linux/man-pages//man1/systemd-creds.1.html | 05:45:24 |
| Mic92 | Using TPM | 05:45:29 |
| 6 Jun 2022 |
|  shimun ⚡️ joined the room. | 12:00:32 |
