Did you get excited about this article? Let’s have a look at how it is on a less theoretical level. Ok, so you have created an i-fafafafafafafa AWS instance in your private subnet but for some reason, you need an SSH like connection to it to maybe use it hopefully not too often. In the old days, having a bastion host used to be an acceptable choice. On these days, not so much. Basically because of the exposed ports. Even if you don't use port 22 it is still a risk. Even an el

Now you are using Direnv to manage your workspaces (see THIS), but you stumble upon a difficulty, maybe motivated (like me) by Terraform workspaces. You have a single codebase for a project, but this codebase needs to be deployed to different environments. Now, we can no longer have a .envrc file in the project's folder, because the environment should be different depending on where we want to deploy. So, how do we solve this? Direnv to the rescue, again. Using .env's Direnv

For DevOps engineers, working in many different projects and different clouds is a reality of life. We have developed many tools to help us to manage and switch among the different contexts and projects, each one with its ups and downs. Today we explore the one that, IMHO, is the best of them all: direnv. How it works Direnv has a very simple premise: each time you cd into a directory with a .envrc file, a new environment is started for that particular directory using the env

Now that you are comfortably using ServiceAccounts to interact securely with GCP, are you still not using it? Refer to this Teratip Secure your access to GCloud cli with Service Accounts and start doing so, you want to use it with Terraform too. Terraform requires setting a Token, which gives it access to the GCP API using a different identity. This token can be obtained with the gcloud cli and then exported to a variable. Once you do this, terraform will pick it up automatic

Do you want a time-sensitive way to give access to a third party to your GCP account with a low administrative burden? Look no further! Set up a service account! How to do it It's actually very simple: Create a new service account, and give it the permissions needed by the third party Ask the third party for a Google Identity Add this identity to the service account with the TokenCreator permissions Profit! Now the third party needs to execute the gcloud command with an addit

One of the causes of AWS Keys leaks is configuring your AWS CLI by using the command aws configure; This can lead you to store your credentials in plain text under your home folder. If you are using Linux or macOS, you may know about the Keychain and D-bus secret service, so let’s combine both things into a secure and robust solution to keep your keys safe. We will use https://github.com/sorah/envchain as the primary tool to automate the keychain unlock, export the values int

This writeup documents the current best way to build Docker containers within transient Jenkins agents inside a Kubernetes cluster. This setup has unique features and unique caveats you need to consider, and intend to save you, dear reader, the time I invested trying different solutions. Setup These are the components used in this setup. You can replace the K8S provider and the solution and considerations will hold. You can also change the destination registry for your images

Some configurations can be considered private and high risk. Data such as Database Passwords and other valuable information can be safely stored in the SSM Parameter Store service. The service offers the possibility of storing the data that we consider to be “secret”, to later be consumed by our applications. Some of its features are: Serverless, scalable Version tracking of the configurations and secrets Encryption with KMS (optional) Notifications with CloudWatch Events Con

Nowadays, AWS is the top cloud provider around the world and has a wide variety of services that provide to us One of the most important services is IAM (Identity and Access Management). Here, we can manage the correct Access to AWS services and resources in a secure way and the best part is this is a free feature, so there is no additional charge. The way to manage the Access and permissions is by creating IAM Policies. Once we have the policies created, the correct way to w

Don't waste your time trying to import into ACM, Amazon Certificate Manager says ECDSA is supported but if almost impossible to import the certificate, so you just have to import it as an IAM certificate An example aws iam upload-server-certificate --server-certificate-name ecdsa-certificate-example --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem For more information https://aws.amazon.com/premiumsu