top of page
  • Writer's pictureTim Burns

Treat Service Passwords like Cattle - Not Pets

The Author believes Passwords should be Easy as Cake

Most people understand the value of treating servers like cattle, not pets. It's great advice and leads to better scalability and availability.

For security, it pays to treat passwords like cattle as well. Secure the process of creating a new password with MFA but make the actual passwords throw away and use secure management to manage. Assume a password may get leaked and have a process in place to recreate it.

I work with the Snowflake data warehouse and I use this process.

Create a target in a makefile to create the APP user based on parameters. I use OpenSSL to generate the sequence because it's available on all the systems I use.

   $(eval randomPassword := $(shell openssl rand -base64 20))
   echo $(randomPassword)
   snowsql -f snowflake/access/createAppUser.sql -D database=${SNOWFLAKE_APP_DATABASE} -D user=${SNOWFLAKE_APP_USER} \
      -D randomPassword=$(randomPassword) -D defaultRole=${SNOWFLAKE_APP_ROLE} \
      -D warehouse=${SNOWFLAKE_APP_WAREHOUSE}

!set variable_substitution=true;
create or replace user &{user}
    identified by '&{randomPassword}' default_role = &{defaultRole} DEFAULT_NAMESPACE=&{database};
alter user &{user} set default_warehouse = &{warehouse};
alter user &{user} set DEFAULT_NAMESPACE  = &{database};
alter user &{user} set DEFAULT_ROLE = &{defaultRole};
grant role &{defaultRole} to user &{user};
grant all privileges on database &{database} to role  &{defaultRole};

That's it. Now users are throw away and recreate. The full access of the user is documented by the script. and rotating the usage often is easy as eating a piece of cake.

8 views0 comments

Recent Posts

See All

Carto, Snowflake, and Data Management

A basic principle of data management: Don't move data unless you have to. Moving data is expensive and error-prone. Data Egress Cost: How To Take Back Control And Reduce Egress Charges Archiving to S

Music Festivals 2024

I am browsing music festivals I'd like to attend in 2024. I work for which manages vacation properties and my search came up with this site from one of our biggest competitors. Vacasa: US

bottom of page