https://pulumi.com logo
Powered by
Title
f

future-nail-59564

11/30/2020, 5:26 PM
Has anyone used 
keybase
to encrypt/decrypt user passwords with 
aws.iam.UserLoginProfile
? The 
encryptedPassword
output returns a simple string in the form 
wcFMA433DHhZWgKpARAAXYd0q2oRc83hFcLJXQMV9yC…
but keybase seems to expect something of the form 
BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. keDIDMQWYvVR58B FTfTeDQNHx1585M … 1UfUcHnbYM8vtOw OsZfpid. END KEYBASE SALTPACK ENCRYPTED MESSAGE.
for decryption… 🤔
b

broad-dog-22463

11/30/2020, 5:35 PM
you need to pipe through base64 decode
pulumi stack output myPassword | | base64 --decode
that should give you the keybase string
f

future-nail-59564

11/30/2020, 5:52 PM
piping through 
base64 -d
only outputs binary/garbage! 😕
b

broad-dog-22463

11/30/2020, 5:54 PM
can you show me your code that you've specified for this?
f

future-nail-59564

11/30/2020, 6:05 PM
const loginProfile = new aws.iam.UserLoginProfile(
        user.username,
        {
          user: iamUser.name,
          pgpKey: `keybase:${user.keybaseUser}`,
        },
        { parent: this }
      );
and later in a dynamic provider that will send encrypted password by email, where 
encryptedPassword
is the resolved value of `loginProfile.encryptedPassword`: 
console.log(
      `Encrypted password: ${encryptedPassword}`
    );
I can share a more complete code excerpt if needed, but it’s a bit more involved, with the dynamic provider.
UserComponent_ts__excerpt_.ts
PasswordSender.ts (full)
l

little-cartoon-10569

11/30/2020, 7:11 PM
Same happens to me, I wrap it in the headers and footers myself, and it works.. onesec I've got the code...
Ah, it's just Terraform code, haven't ported it to Pulumi yet... 
output "passwords" {
  value =<<ARMOURED
%{for login_profile in aws_iam_user_login_profile.support }
PGP-encrypted password for ${login_profile.user}
-----BEGIN PGP MESSAGE-----

${login_profile.encrypted_password}

-----END PGP MESSAGE-----
%{endfor}
ARMOURED
}
f

future-nail-59564

11/30/2020, 7:52 PM
Thanks @little-cartoon-10569! However, it’s not just the armour that’s missing, it’s also the bytes that seem to be grouped in bunches. As I mentioned earlier, the format keybase is expecting looks like this: 
BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. keDIDMQWYvVR58B FTfTeDQNHx1585M wWbrASgxlB4AxUD GDs2vnNJvt5UodK mH0F6pHuD4vc3Vm lAlAPrh7ZKv2OTY HnLXoNcUySLmP3p 63H2m1IHrfmMttC RLfExoP8zM8ZQ6R b1AWj2suk3W6s2G r5LriMri8wq94Hs X4hS0THSXY4AK8r nWrWvYlT3LBcuza 5AL24aH3H1eNVPe Mev3P0esF4z3O4w 9g9EQGy9IGN4ft7 5TKjYlptRSsGYAB RlGQlkRFFHQomtD es0YdccwPYXC5aa YbWyCA7jVOSEvCQ dcUbmILBnJLgvnf CJA6cpucUDsUeoP bKhMOzGg72JFSQ1 OXRp5VNwlo4ox8E 1UfUcHnbYM8vtOw OsZfpid. END KEYBASE SALTPACK ENCRYPTED MESSAGE.
However, my team lead asked that I stop going down this rabbit hole (which is starting to waste a lot of time) and instead find an alternative for generating/sending passwords! 😕 I guess I’ll create my own dynamic provider to create the login profile (because the regular AWS one only supports encrypted passwords). I’ll generate a random password, configure it to force user to reset it upon first login, and just send it to user by email as plain-text (as it’s just a temporary one). That’s a compromise, but we just need a simple enough workflow both for admins and users…
#awsJoin Slack
Powered by