terraform, aws,

Create AWS IAM User Login Profile with PGP encrypted password in Terraform

Jan 04, 2022 · 2 mins read · Post a comment

Managing and deploying AWS IAM User Login Profiles in Terraform requires a base-64 encoded PGP public key or a Keybase, as stated in the official documentation. But, there is no info on how to get to this PGP key, hence the topic for today will describe the required steps.

Prerequisites

  • Terraform

Solution

Step 1. Install GPG from the official site https://gnupg.org/download.

Step 2. Create a template file that will include all the key options, for instance create a file called key-template:

Key-Type: RSA
Subkey-Type: RSA
Name-Real: <first_name> <last_name>
Name-Comment: PGP key for <first_name>'s AWS IAM user
Name-Email: <insert_email_here>
Expire-Date: 0
# Passphrase: COMMENT_OUT_SO_IT_WILL_PROMPT_TO_INSERT_PASSWORD

Note(s): Setting the Expire-Date to 0 will disable the expiration. So, please don’t be lazy and set a proper value well-aligned with your company security policies.

Step 3. Now, save the template file and create a copy named key-template-devcoops for the sake of example.

Step 4. Set the env variable GPG_TTY as per below:

export GPG_TTY=$(tty)

Step 5. Generate a new key. Once you run the command below, you’ll be prompt for a password. Make sure to save it securely, because you’ll need it later for decryption.

gpg --batch --gen-key key-template-devcoops

Step 6. Output the key in a binary format.

gpg --output public-key-binary-devcoops.gpg --export [email protected]

Step 7. Add the following code block in Terraform:

data "local_file" "pgp_key_devcoops" {
  filename = "./public-key-devcoops.gpg"
}

resource "aws_iam_user" "devcoops" {
  name          = "devcoops"
  path          = "/"
  force_destroy = true
}

resource "aws_iam_user_login_profile" "devcoops" {
  user    = aws_iam_user.devcoops.name
  pgp_key = data.local_file.pgp_key_devcoops.content_base64
}

output "password" {
  value = aws_iam_user_login_profile.devcoops.encrypted_password
}

Step 8. init, plan and apply the changes.

terraform init
terraform plan
terraform apply

Step 9. The TF output password will print out the encrypted version. For instance:

Outputs: 

password = "wpICA3/L5g...1/09HTJKK=="

Regarding decryption, Decrypt iam_user_login_profile password in Terraform.

Conclusion

Encrypting secrets in TF is a great practice, since it helps us protect sensitive information in following scenarios:

  • TF outputs leaked from a CI/CD deployment tool log files.
  • Compromised TF state file.

Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.