Terraform, AWS Access Keys and Keybase

Per the Terraform AWS Provider docs for the aws_iam_access_key resource, I figured I’d try this Keybase PGP thing.

This is the config I’ve got (and stayed with, because it wasn’t wrong):

resource "aws_iam_access_key" "example_key" {
  user    = aws_iam_user.example.name
  pgp_key = "keybase:yaleman"
}

While trying to apply the config however, I got this error…

│ Error: Error retrieving Public Key for keybase:yaleman: unable to fetch keys for user(s) "yaleman" from keybase
│   with aws_iam_access_key.example_key,
│   on example.tf line 26, in resource "aws_iam_access_key" "example_key":
│   26: resource "aws_iam_access_key" "example_key" {

Well, that’s annoying and slightly vague!

Checking if I had keys, Keybase seemed to think I did:

➜ keybase pgp list
Keybase Key ID:  010...340a
PGP Fingerprint: e1...7
PGP Identities:
   James Hodgkinson <[email protected]>

I tried the pull/push cycle and it just wouldn’t work, so time to generate a new one. If you see <snip> it’s extra noise or sekret.

➜ gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
<snip>
Please select what kind of key you want:
   (1) RSA and RSA (default)
   <snip>
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
Key is valid for? (0) 10y
Key expires at Tue 22 Jun 2032 10:28:31 AM AEST
Is this correct? (y/N) y
<snip>
Real name: James Hodgkinson
E-mail address: [email protected]
Comment: Keybase
You selected this USER-ID:
    "James Hodgkinson (Keybase) <[email protected]>"

Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O
<snip>
gpg: key E281370A6DB472BE marked as ultimately trusted
<snip>
public and secret key created and signed.

pub   rsa3072 2022-06-25 [SC] [expires: 2032-06-22]
      <snip>
uid                      James Hodgkinson (Keybase) <[email protected]>
sub   rsa3072 2022-06-25 [E] [expires: 2032-06-22]

Woo! I have a key. Time to upload it to Keybase…

➜ keybase pgp select
You are selecting a PGP key from your local GnuPG keychain, and will publish a statement signed with this key to make it part of your Keybase.io identity.

Note that GnuPG will prompt you to perform this signature.

You can also import the secret key to *local*, *encrypted* Keybase keyring, enabling decryption and signing with the Keybase client.
To do that, use "--import" flag.

Learn more: keybase pgp help select

▶ ERROR You already have a PGP key registered (<snip>)
Specify the `--multi` flag to override this check

So let’s try the multi flag… why not just prompt me to do this?

➜ keybase pgp select --multi
You are selecting a PGP key from your local GnuPG keychain, and will publish a statement signed with this key to make it part of your Keybase.io identity.

Note that GnuPG will prompt you to perform this signature.

You can also import the secret key to *local*, *encrypted* Keybase keyring, enabling decryption and signing with the Keybase client.
To do that, use "--import" flag.

Learn more: keybase pgp help select

#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    3072R   E281370A6DB472BE             James Hodgkinson <[email protected]>
Choose a key: 1
▶ INFO Generated new PGP key:
▶ INFO   user: James Hodgkinson (Keybase) <[email protected]>
▶ INFO   3072-bit RSA key, ID E281370A6DB472BE, created 2022-06-25

To get the secret from terraform, add the output then run terraform refresh.

output "example_key_access_key" {
  value = aws_iam_access_key.example_key.encrypted_secret
}

Then run the command:

terraform output -raw example_key_access_key | \
    base64 --decode | \
    keybase pgp decrypt

Get an error:

▶ ERROR decrypt error: unable to find a PGP decryption key for this message

Turns out you have to import it to keybase locally too :rage:

➜ keybase pgp select --multi --import
You are selecting a PGP key to publish in your profile, and
importing secret key to *local*, *encrypted* Keybase keyring.
<snip>

#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    3072R   E281370A6DB472BE             James Hodgkinson <[email protected]>
Choose a key: 1
You've already selected this public key for use on Keybase. Would you like to update it on Keybase? [Y/n] y
▶ INFO Posting update for key <snip.
▶ INFO Key was already up to date.
Do you want to import secret half of this key to local Keybase keyring? [Y/n] y
▶ INFO Key <snip> already exists. Only importing the private key.

And now the terraform thing works!

➜ terraform output -raw example_key_access_key | \
	base64 -d | \
	keybase pgp decrypt                 
<snip> :D


#keybase #terraform #AWS