HackerTrans
TopNewTrendsCommentsPastAskShowJobs

lstoll

no profile record

Submissions

An Update on Heroku

heroku.com
525 points·by lstoll·5 maanden geleden·352 comments

comments

lstoll
·4 jaar geleden·discuss
We use an AWS KMS asymmetric key for the CA keys, they're cheap and avoids exposing the private key material in an any way.

For signing SSH certificates, we run a small service (prototype code dump at https://github.com/pardot/sshsigner) that uses this key to sign short lived certificates. Auth to the service is via OIDC issued ID tokens.

On the client side we have a custom SSH agent that uses an ephemeral in-memory private key. The agent manages the OIDC web flow and calling out to the service for signing on demand. This lets us keep the cert duration small and scoped, and allows us to force re-auth for sudo etc. via the web flow.

We also do a similar thing for host keys, IAM auth the instances and sign certificates.

Altogether works well, provides a nice user experience, and keeps long-lived/leakable creds out of out environment.
lstoll
·5 jaar geleden·discuss
I migrated from the EU to the US, but then realised that once everything was factored in (medical, car, housing, cost of living) the taxes were actually worth it, so I moved back to the EU.
lstoll
·5 jaar geleden·discuss
you don't have to predict that exact scenario to know that domestic semiconductor manufacturing is a good idea.
lstoll
·5 jaar geleden·discuss
This is fine while you're employed, but what if you lose your position or decide to take a couple years off? Then it becomes a different equation.

Spread out over time, in the places I lived outside of the US that was not really a concern. Same with most other "social care" situations. In the US, it all felt a lot more tenuous which was a source of constant low-key anxiety.