DEV Community: Libert S

Yubikey meets an EC2 instance

Libert S — Fri, 01 Apr 2022 19:27:31 +0000

I recently got a Yubikey to lock some of my most critical accounts. In the process, I discovered that the yubikey also supports OpenPGP with the capabilities of Sign, Encrypt and Authenticate!.

This is a game-changer in terms of security since I no longer need to have my private RSA keys in my computer (hot environment because it touches the internet).

The process of how to generate the OpenPGP keys and burn them in the yubikey is well explained here:

https://youtube.com/playlist?list=PLmoQ11MXEmahVl_uJVH0-a3XJtMV59PBu

The EC2 way

When we launch a new EC2 instance we have to choose a pem file (private key) to SSH.

ssh -i keypair.pem ubuntu@ec2-*********.com

What I used to do is to load the pem key into my ssh-agent to ssh to the instance without providing the key as a parameter.

ssh-add keypair.pem
ssh ubuntu@ec2-*********.com

EC2 + Yubikey

Assuming that your private key is already in the yubikey all you have to do is to plug the device into your computer and update the ssh-agent socket to communicate with pgp agent socket.

After doing that your ssh-agent will use OpenPGP.

SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

Now Copy your public pgp key to the EC2 instance.

ssh-add 
ssh-copy-id ubuntu@ec2-*********.com

Now everything is in place to SSH into your ec2 instance with your yubikey.

ssh ubuntu@ec2-*********.com

**waits for confirmation in the yubikey**

ubuntu@ec2-local:/home/ubuntu

Summary

And you are connected!.
Using this method removes the need to use the pem file provided by AWS. You can also use the same method for other servers Just copy your public key and you yubikey is your Authenticator.

AWS Solutions Architect Professional tips and tricks

Libert S — Tue, 27 Apr 2021 17:43:41 +0000

Is the time of the year to renew my AWS Solutions Architect certification as they are only valid for three years.

hands-on experience

The AWS SA Professional exam (SAP-C01) is considered one of the most difficult exams from the AWS certification program, mostly because it covers multiple AWS services, all the way from IAM to AWS direct connect. Also, the questions are based on real case scenarios compared with most theoretical questions in the AWS Solutions Architect Associate.

In the following weeks, I'll add a series of posts about my learning path and share some useful tips and tricks along the way to get certified.

Ansible EC2 dynamic inventories

Libert S — Mon, 15 Mar 2021 22:56:12 +0000

One of the steps of creating and testing ansible roles is verifying that the role does what it was intended to do in real EC2 instances.

To automate this workflow I usually launch 5 instances (centOS 7, centOS 8, Ubuntu 18, and Ubuntu 20) using python and boto3.

LAUNCH EC2

Here is a snippet of my script, you can find the complete script here

The script adds the tags env: ansible and distro: AMI['distro'] to the instances. This comes handy for grouping the ansible dynamic inventories

    instances = ec2.create_instances(
        ImageId = AMIS[i]["ami"],
        MinCount = 1,
        MaxCount = 1,
        InstanceType = 't3.micro',
        KeyName = KEY,
        SecurityGroupIds=[SG],
        SubnetId=SUBNET,
        TagSpecifications=[
            {
                'ResourceType': 'instance',
                'Tags': [
                    {
                        'Key': 'Name',
                        'Value': AMIS[i]["os"]
                    },
                    {
                        'Key' : 'env',
                        'Value': 'ansible'
                    },
                                        {
                        'Key' : 'distro',
                        'Value': AMIS[i]["distro"]
                    }
                ]
            }
        ]
    )

DYNAMIC INVENTORY

Once the instances are running instead of updating the inventory file manually we can use the ansible plugin: aws_ec2 to make our inventory dynamic.

Here you can see the inventory file that groups our EC2 instances by their tags, in this case, distro.

The name of the file is important and needs to be inventory_aws_ec2.yml

plugin: aws_ec2
boto_profile: default
regions:
  - us-east-1
filters:
  tag:env:
    - ansible
keyed_groups:
  - key: tags.distro
    separator: ''

hostnames:
  - network-interface.association.public-ip

OUTPUT

Notice that the output groups the distribution name with the public IP address assigned to the EC2 instance.

You can use this command to list the dynamic inventory:

ansible-inventory -i inventory_aws_ec2.yml --list

The output is going to look something like this:

{
    "aws_ec2": {
        "hosts": [
            "18.232.x.x",
            "34.228.x.x",
            "34.230.x.x",
            "54.226.x.x",
        ]
    },
    "centos": {
        "hosts": [
            "18.232.x.x",
            "34.228.x.x"
        ]
    },
    "ubuntu": {
        "hosts": [
            "54.226.x.x",
            "54.234.x.x"
        ]
    }
}

RUN THE PLAYBOOK

And finally, you can run your playbook using the dynamic inventory:

ansible-playbook -u ubuntu play.yml

--------
- hosts: ubuntu
  become: true
  roles:
    - ansible-role-update

Don't forget to terminate your instances after testing.