Proposed Pattern for Deploying EC2 instances with Secure Credentials

Posted on March 29th, 2014 in General by Brandon

After struggling with this problem in my mind for a while, I finally had the opportunity to experiment with Cloud Init and come up with a working solution for securely (I think) deploying code and credentials to a stock Ubuntu Instance on EC2.

My primary goals are:

  • Must use an stock AMI with no customization
  • Human readable user-data that contains appName, environment, and role.
  • user-data must be easily modified by a developer for their own app or environment
    (No forcing them to base64 encode, gzip, or use special tools)
  • Must be portable between providers.
    The example works with EC2, but initial ‘include’ file can be customized for each provider or OS.

The diagram below shows how this is to be accomplished

Proposed Cloud Init on Ubuntu / EC2 with secure credentials

The key to making this work is posting the user-data to a configuration server that can validate that the Instance ID belongs to us, hasn’t already attempted to be configured, and was started in the past couple minutes.

I’ve successfully deployed several instances using this method and it seems to work well. Getting the cloud init include file, and the script

Post a comment

Please copy the string batdXs to the field below: