Search
  • Tim Burns

Treat Service Passwords like Cattle - Not Pets


The Author believes Passwords should be Easy as Cake


Most people understand the value of treating servers like cattle, not pets. It's great advice and leads to better scalability and availability.


For security, it pays to treat passwords like cattle as well. Secure the process of creating a new password with MFA but make the actual passwords throw away and use secure management to manage. Assume a password may get leaked and have a process in place to recreate it.


I work with the Snowflake data warehouse and I use this process.


Create a target in a makefile to create the APP user based on parameters. I use OpenSSL to generate the sequence because it's available on all the systems I use.


create-app-user:
   $(eval randomPassword := $(shell openssl rand -base64 20))
   echo $(randomPassword)
   snowsql -f snowflake/access/createAppUser.sql -D database=${SNOWFLAKE_APP_DATABASE} -D user=${SNOWFLAKE_APP_USER} \
      -D randomPassword=$(randomPassword) -D defaultRole=${SNOWFLAKE_APP_ROLE} \
      -D warehouse=${SNOWFLAKE_APP_WAREHOUSE}

Use MFA on the Snowflake account to create the passwords.

!set variable_substitution=true;
create or replace user &{user}
    identified by '&{randomPassword}' default_role = &{defaultRole} DEFAULT_NAMESPACE=&{database};
alter user &{user} set default_warehouse = &{warehouse};
alter user &{user} set DEFAULT_NAMESPACE  = &{database};
alter user &{user} set DEFAULT_ROLE = &{defaultRole};
grant role &{defaultRole} to user &{user};
grant all privileges on database &{database} to role  &{defaultRole};

That's it. Now users are throw away and recreate. The full access of the user is documented by the script. and rotating the usage often is easy as eating a piece of cake.


5 views0 comments