January 10, 2022 By Dimitri Prosper 4 min read

How to use these two services to dynamically update the authorized SSH keys on a Linux instance running inside a VPC.

Deploying an application to a Virtual Server Instance (VSI) may require some configuration based on information that is specific to the VSI. An example would be configuring the application to interact with a cloud service based on the region or availability zone of the VSI. The most common approach would be to use user data to perform the configurations. This approach, however, requires supplying the instance-specific information in the user data field during the initial provisioning of the VSI. 

In addition, it may be necessary to modify the configuration across multiple VSIs based on changes to the environment. Although user data is configurable to run on a reboot, it continues to have a few drawbacks.  One example would be an application that requires discovering changes to the hostname of the load balancer deployed in front of it. 

IBM Cloud Virtual Private Cloud (VPC) and Identity and Access Management (IAM) provide a set of complementary features that can help in these situations: 

  • VPC Instance Metadata is a service that provides instance-specific information — for example, the availability zone in which the instance is running, the instance ID, the subnet and more. It can also provide an IAM token used to access cloud resources.
  • IAM Trusted Profiles provide the ability to configure fine-grained authorization for computing resources running on IBM Cloud: Kubernetes, Red Hat OpenShift and VPC Virtual Server Instance (VSI). With IAM Trusted Profiles, a compute resource is assigned access to IAM-enabled resources.

The availability of these two features opens up opportunities for the contextual configuration of an application running on the compute instance — both during initial deployment and for dynamic updates. Managing the lifecycle of SSH keys on a VSI is often required when a new administrator joins the team or there is a security event that requires a wholesale update of keys. This blog post introduces an example application that will take advantage of these two services to dynamically update the authorized SSH keys on a Linux instance running inside a VPC.

As of this writing, the VPC Instance Metadata service and the IAM Trusted Profiles for VPC VSI are in Select Availability. Contact IBM support or your IBM Sales representative if you’re interested in getting early access.

Deployment architecture and application code

To demonstrate these two features, we will deploy a VSI inside of a VPC with appropriate security groups. A small application — in this case, a bash script ssh-authorized-keys.sh — is added as a running service on the instance:

As stated above, the application is a simple bash script running inside the virtual server that interacts with the IAM Trusted Profiles and the Metadata APIs to retrieve and parse the information required in order to configure the authorized_keys. Let’s review the main parts of the code:

Deploying and configuring the components

This associated code repository contains the infrastructure as code instructions based on Terraform to create and configure the resources as depicted above. Here is a high-level overview of the code repository structure:

  • The file main.tf contains the instructions for creating the base infrastucture constructs (i.e., a VPC, Subnets, Security Groups). If you have an existing VPC you can modify this file to supply data resources instead.
  • The instance.tf file contains the instructions for creating and configuring the Virtual Server Instance. It will create an SSH key that will be used to configure the instance and call various shell scripts, as needed.
  • The variables.tf file contains all of the input required by the Terraform template. Don’t modify this file, as the number of values that you need to modify is more limited. Use the `terraform.tfvars` to supply your values as described in the repository.
  • The scripts folder contains the various shell scripts that are invoked during the run of the Terraform template.

After deploying the environment, you can test the dynamic configuration of SSH Keys on the VSI by updating the access policies in the IAM Trusted Profiles. As an enhancement, you can also configure the IBM Cloud Logging agent on the instance to capture the logs generated by the ssh-authorized-keys service to an existing IBM Cloud Log Analysis instance if desired. The logs are stored under /var/log.

Getting started

To get started, try the sample code on GitHub. Instructions are provided in the README.md to create and use this template. We also cover how to clean up resources when you no longer need them.

Questions and feedback

The GitHub repository for this scenario has an Issues tab where you can comment on the content and code. If you have suggestions or issues, please submit your feedback.

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters