Passing secrets to restored snapshots
I need some API to pass secrets to servers restored from snapshots. I know there are startup scripts, but they only work for servers instantiated directly from OS images and I cannot use OS images directly.
As the API stands now, all servers instantiated from single snapshot share single ssh host key. Every server could generate new ssh host key upon first boot, but then my local scripts would have no way to verify the random host key nor any other way to verify identity of the server and thus no way to securely configure/specialize it.
I thought of abusing the email field in ssh key and fetching the fake shh key from metadata server (169.254.169.254), but I cannot test it, because sshkey/create API gives me 412 status code. Smuggling configuration data in email field of fake ssh key feels hacky anyway. Is there a free-form metadata field that I could set in server/create API and see it on the metadata server?
As the API stands now, all servers instantiated from single snapshot share single ssh host key. Every server could generate new ssh host key upon first boot, but then my local scripts would have no way to verify the random host key nor any other way to verify identity of the server and thus no way to securely configure/specialize it.
I thought of abusing the email field in ssh key and fetching the fake shh key from metadata server (169.254.169.254), but I cannot test it, because sshkey/create API gives me 412 status code. Smuggling configuration data in email field of fake ssh key feels hacky anyway. Is there a free-form metadata field that I could set in server/create API and see it on the metadata server?
This discussion has been closed.
Comments
I have now thoroughly tested it. SSH keys have a comment field at the end. It is usually an email address or username, but there are no restrictions on what it can contain. You can put there arbitrary data encoded with base64 (url-safe variant). There seems to be no size limit either. I have successfully uploaded 10KB comment in the SSH key.
I'm not too familiar with the API, but it sounds like a useful addition.
edit: For that matter, how secure is metadata API? It's not a https url.
https://github.com/quickx-app/vultrdata
Check user-data parameter when creating server with API:
https://www.vultr.com/api/#server_create
You can use that to pass configuration values (encoded with base64) for starup script or some other script which you have already set up for your snapshot.
How the fetch user-data inside your VPS instance (They added docs recently)
https://www.vultr.com/metadata/#user_data_user_data
If you try to change the user data afterwards with this: https://www.vultr.com/api/#server_set_user_data
"curl http://169.254.169.254/user-data/user-data" might return old values because user-data is only refreshed when instances are created or reinstalled.
I don't see a way to reference userdata any more. Was this feature removed?