Automatically generate SSH key pair for each ECS Task
The present change aims to increase the security of the current solution, at the same time it simplifies the driver setup process as users won't be requested to manage SSH keys and the AWS Parameter.
Overview: in the currently solution, the user is responsible for the generating the public and private keys and configuring the Fargate driver for using it. In the proposed behavior, during the "prepare" stage, the application should generate the public and private keys to be used for connecting to the task container. The public key would be passed through environment variables to the task container during the "start task". The private key would be persisted in the metadata to be used during the "run" stage to access the container.
Necessary POCs:
- Test if the using the "Overrides" attribute of the AWS API for adding environment variables works as we expected
Changes to the current implementation
AWS Fargate adapter:
- Change the "RunTask" method:
This method now needs to receive a new parameter to represent environment variables to override in the Task container to be started (in this way we can pass the SSH private key for the container as an environment variable).
Using the AWS API I found no way of directly overriding the environment variables for containers without knowing the container name, so we have now to decide between two possibilities:
-
Create a new method / integration with AWS to fetch the task definition details in order to obtain the container names defined in the task definition and use this information to override the variables in all containers we found in the task definition.
-
Add the container name in the configurations (config.toml) and use it for overriding the environment variables.
Metadata storage:
- Change the struct that represent the task metadata stored between stages
We need to include the private key to be persisted between the driver commands (since we will create the public/private key in the prepare stage but will use the private key only in the run stage).
Here we would need to consider: can the private key be persisted unencrypted in the metadata?
"Prepare" command:
- Create a method for generating public and private keys
- Use the previously created method before we start a task
- Pass public key as an environment parameter to the Fargate adapter "RunTask" method
- Persist the private key in the metadata storage
"Run" command:
- Read the private key from metadata storage
- Use that private key when connecting to a container
Changes to config.toml and config.toml.example:
- Remove: attribute that indicates the path of the private key (PrivateKeyPath)
Questions
To consider: can the private key be persisted unencrypted in the metadata file?
Should we add the container ID in the configurations (config.toml) or fetch it from the task definition (in this case overriding environment parameters to all containers we find)