How to use these two services to dynamically update the authorized SSH keys on a Linux instance running inside a VPC.

Deploying an application to a Virtual Server Instance (VSI) may require some configuration based on information that is specific to the VSI. An example would be configuring the application to interact with a cloud service based on the region or availability zone of the VSI. The most common approach would be to use user data to perform the configurations. This approach, however, requires supplying the instance-specific information in the user data field during the initial provisioning of the VSI. 

In addition, it may be necessary to modify the configuration across multiple VSIs based on changes to the environment. Although user data is configurable to run on a reboot, it continues to have a few drawbacks.  One example would be an application that requires discovering changes to the hostname of the load balancer deployed in front of it. 

IBM Cloud Virtual Private Cloud (VPC) and Identity and Access Management (IAM) provide a set of complementary features that can help in these situations: 

• VPC Instance Metadata is a service that provides instance-specific information — for example, the availability zone in which the instance is running, the instance ID, the subnet and more. It can also provide an IAM token used to access cloud resources.
• IAM Trusted Profiles provide the ability to configure fine-grained authorization for computing resources running on IBM Cloud: Kubernetes, Red Hat OpenShift and VPC Virtual Server Instance (VSI). With IAM Trusted Profiles, a compute resource is assigned access to IAM-enabled resources.

The availability of these two features opens up opportunities for the contextual configuration of an application running on the compute instance — both during initial deployment and for dynamic updates. Managing the lifecycle of SSH keys on a VSI is often required when a new administrator joins the team or there is a security event that requires a wholesale update of keys. This blog post introduces an example application that will take advantage of these two services to dynamically update the authorized SSH keys on a Linux instance running inside a VPC.

As of this writing, the VPC Instance Metadata service and the IAM Trusted Profiles for VPC VSI are in Select Availability. Contact IBM support or your IBM Sales representative if you’re interested in getting early access.

Deployment architecture and application code

To demonstrate these two features, we will deploy a VSI inside of a VPC with appropriate security groups. A small application — in this case, a bash script ssh-authorized-keys.sh — is added as a running service on the instance:

As stated above, the application is a simple bash script running inside the virtual server that interacts with the IAM Trusted Profiles and the Metadata APIs to retrieve and parse the information required in order to configure the authorized_keys. Let’s review the main parts of the code:

• The application requests an access token from the Instance Identity Token service (1):

• The application reads the instance-specific metadata and parses the data it needs to proceed. For example, availability zone, instance id and name (1):

• Using the identity token captured, the application requests an IAM token (2) from the global IAM service:

• Using the IAM Token, the application uses the VPC regional API service to read the VPC SSH Keys (4) that it is authorized to view through an access policy in the IAM Trusted Profiles.
• The application updates the ~/.ssh/authorized_keys with the SSH key(s) it retrieved (5):

Deploying and configuring the components

This associated code repository contains the infrastructure as code instructions based on Terraform to create and configure the resources as depicted above. Here is a high-level overview of the code repository structure:

• The file main.tf contains the instructions for creating the base infrastucture constructs (i.e., a VPC, Subnets, Security Groups). If you have an existing VPC you can modify this file to supply data resources instead.
• The instance.tf file contains the instructions for creating and configuring the Virtual Server Instance. It will create an SSH key that will be used to configure the instance and call various shell scripts, as needed.
• The variables.tf file contains all of the input required by the Terraform template. Don’t modify this file, as the number of values that you need to modify is more limited. Use the `terraform.tfvars` to supply your values as described in the repository.
• The scripts folder contains the various shell scripts that are invoked during the run of the Terraform template.

After deploying the environment, you can test the dynamic configuration of SSH Keys on the VSI by updating the access policies in the IAM Trusted Profiles. As an enhancement, you can also configure the IBM Cloud Logging agent on the instance to capture the logs generated by the ssh-authorized-keys service to an existing IBM Cloud Log Analysis instance if desired. The logs are stored under /var/log.

Getting started

To get started, try the sample code on GitHub. Instructions are provided in the README.md to create and use this template. We also cover how to clean up resources when you no longer need them.

Questions and feedback

The GitHub repository for this scenario has an Issues tab where you can comment on the content and code. If you have suggestions or issues, please submit your feedback.