I need some API to pass secrets to servers restored from snapshots. I know there are startup scripts, but they only work for servers instantiated directly from OS images and I cannot use OS images directly.
As the API stands now, all servers instantiated from single snapshot share single ssh host key. Every server could generate new ssh host key upon first boot, but then my local scripts would have no way to verify the random host key nor any other way to verify identity of the server and thus no way to securely configure/specialize it.
I thought of abusing the email field in ssh key and fetching the fake shh key from metadata server (169.254.169.254), but I cannot test it, because sshkey/create API gives me 412 status code. Smuggling configuration data in email field of fake ssh key feels hacky anyway. Is there a free-form metadata field that I could set in server/create API and see it on the metadata server?