Search
  • Tim Burns

Treat Service Passwords like Cattle - Not Pets


The Author believes Passwords should be Easy as Cake


Most people understand the value of treating servers like cattle, not pets. It's great advice and leads to better scalability and availability.


For security, it pays to treat passwords like cattle as well. Secure the process of creating a new password with MFA but make the actual passwords throw away and use secure management to manage. Assume a password may get leaked and have a process in place to recreate it.


I work with the Snowflake data warehouse and I use this process.


Create a target in a makefile to create the APP user based on parameters. I use OpenSSL to generate the sequence because it's available on all the systems I use.


create-app-user:
   $(eval randomPassword := $(shell openssl rand -base64 20))
   echo $(randomPassword)
   snowsql -f snowflake/access/createAppUser.sql -D database=${SNOWFLAKE_APP_DATABASE} -D user=${SNOWFLAKE_APP_USER} \
      -D randomPassword=$(randomPassword) -D defaultRole=${SNOWFLAKE_APP_ROLE} \
      -D warehouse=${SNOWFLAKE_APP_WAREHOUSE}

Use MFA on the Snowflake account to create the passwords.

!set variable_substitution=true;
create or replace user &{user}
    identified by '&{randomPassword}' default_role = &{defaultRole} DEFAULT_NAMESPACE=&{database};
alter user &{user} set default_warehouse = &{warehouse};
alter user &{user} set DEFAULT_NAMESPACE  = &{database};
alter user &{user} set DEFAULT_ROLE = &{defaultRole};
grant role &{defaultRole} to user &{user};
grant all privileges on database &{database} to role  &{defaultRole};

That's it. Now users are throw away and recreate. The full access of the user is documented by the script. and rotating the usage often is easy as eating a piece of cake.


5 views0 comments

Recent Posts

See All

I wasn't a good student

I filled out a form a few days back where they asked about my college transcripts. It made me realize that I wasn't a good student in college. I mostly got "C" grades with the occasional "B". I too

 
  • Facebook
  • Twitter
  • LinkedIn

©2019 by Owl Mountain Software, LLC. Proudly created with Wix.com