upvote

points

by nightpool14 hours ago |
comments
upvoteby 420official6 hours ago|
next
[-]
OIDC with JWT doesnt need any long lived tokens. For example, I can safely grant gitlab the ability to push a container to ECR just using a short-lived token that gitlab itself issues. So the answer might be to ask your sentry/jira support rep to fast track supporting OIDC JWTs.

- https://docs.gitlab.com/ci/secrets/id_token_authentication/#... - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_pr...

reply
upvoteby 10 hours ago|
prev|
next
[-]
deleted
reply
upvoteby tptacek12 hours ago|
prev|
[-]
You do what you can. Eliminating long-lived keys isn't always possible; you set up rotation instead.
reply
upvoteby nightpool7 hours ago|
parent|
next
[-]
I disagree, I think increasing manual toil (having to log into Sentry every 6 months to put in a new Jira token) increases fatigue substantially for, in this case, next-to-no security benefit (Sentry never actually has any less access to Jira than it does in the long-lived token case, and any attacker who happens to compromise them is going to be gone well before six months is up anyway).

Instead, the right approach in this case is to worry less about the length of the token and more about making sure the token is properly scoped. If Sentry is only used for creating issues, then it should have write-only access, maybe with optional limited access to the tickets it creates to fetch status updates. That would make it significantly less valuable to attackers, without increasing manual toil at all, but I don't know any SaaS provider (except fly, of course) that supports such fine-grained tokens as this. Moving from a 10 year token to a 6 month token doesn't really move the needle for most services.

reply
upvoteby akerl_7 hours ago|
parent|
[-]
This sounds more like a reason to automate token management than an argument for long lived tokens.
reply
upvoteby ferngodfather6 hours ago|
parent|
[-]
But then you just move the security issue elsewhere with more to secure. Now we have to think about securing the automation system, too.

This is the same argument I routinely have with client id/secret and username/password for SMTP. We're not really solving any major problem here, we're just pretending it's more secure because we're calling it a secret instead of a password.

reply
upvoteby orf47 minutes ago|
parent|
next
[-]
It’s like 12 lines of terraform to fully automate this, inside your existing IaC infrastructure. It’s not complex.
reply
upvoteby Flimm4 hours ago|
parent|
prev|
[-]
Secrets tend to be randomly-generated tokens, chosen by the server, whereas passwords tend to be chosen by humans, easier to guess, and reused across different services and vendors.
reply
upvoteby collabs3 hours ago|
parent|
[-]
How does this apply to ssh public keys?
reply
upvoteby akerl_1 hours ago|
parent|
[-]
> Long-lived production SSH keys may be copied around, hardcoded into configuration files, and potentially forgotten about until there is an incident. If you replace long-lived SSH keys with a pattern like EC2 instance connect, SSH keys become temporary credentials that require a recent authentication and authorization check.
reply
upvoteby datadrivenangel9 hours ago|
parent|
prev|
[-]
Does having to refresh the key every 6 weeks instead of every year or whatever actually make a meaningful difference security-wise?
reply
upvoteby plorkyeran8 hours ago|
parent|
next
[-]
At the minimum you’ll remember how to do it if you have to do it every six weeks.
reply
upvoteby 1024kb5 hours ago|
parent|
prev|
next
[-]
If the key becomes compromised, rotating the key sooner means you potentially limit the damage from unauthorised access.
reply
upvoteby tptacek8 hours ago|
parent|
prev|
[-]
Yes? That's a huge difference.
reply