Skip to content

Refactor Drone Pipelines to use AWS role assumption#17201

Merged
wadells merged 18 commits into
masterfrom
walt/role-assumption
Oct 10, 2022
Merged

Refactor Drone Pipelines to use AWS role assumption#17201
wadells merged 18 commits into
masterfrom
walt/role-assumption

Conversation

@wadells
Copy link
Copy Markdown
Contributor

@wadells wadells commented Oct 8, 2022
edited
Loading

This PR updates our various Drone pipelines to use AWS roles for publishing.

Our AWS FTR requires that we do not use any long lived credentials in our AWS accounts and instead use roles. This means we need to move from attaching policies directly to users to attaching policies to roles and having policyless users assume those roles.

Related Issues & PRs

We created the roles needed in:

And added them to Drone in:

This PR updates the automation to use the new roles, such that we can remove the policies from the users:

Backports:

The corresponding teleport-plugins PR is:

Contributes to https://github.com/gravitational/SecOps/issues/213

Reviewing

This is a large PR, however the changes are divided into small chunks for easier review.

Because this is a cross cutting change that touches on the past work of many different contributors, I've added your name after a commit if it touches code related to your work -- I'd appreciate it if you'd review at least these parts. Though you're welcome to review more.

Part One - This section includes all drongen changes. The important thing to review here is the drongen go code.

  • Add AWS roles to Linux tag pipelines -- This sets the precedent and everyone should take a look.
  • Add AWS roles to Mac pipelines (@fheinecke)
  • Add AWS roles to Windows native builds (@tcsc)
  • Add AWS roles to relcli piplelines (@justinas)
  • Add AWS roles to RPM/DEB package pipelines (@fheinecke)
  • Add AWS roles to docker promote pipeline (@logand22)

Part Two - This section includes all pipelines that aren't managed by dronegen, and were hand edited. The .drone.yml itself should be reviewed here.

  • Add AWS roles to build-docker-images pipeline (@logand22)
  • Add AWS roles to AMI pipelines (@hugoShaka)
  • Add AWS roles to docker cron pipeline (@logand22) -- This commit has a slightly different pattern, where profiles other than [default] are used.
  • Add AWS roles to helm cron pipeline (@hugoShaka)
  • Add AWS roles to promotion pipeline

Testing

All tag build changes were tested via v12.0.0-dev.walt.3 here:

https://drone.platform.teleport.sh/gravitational/teleport/16273

Most promotion changes were tested off that same tag here:

https://drone.platform.teleport.sh/gravitational/teleport/16277

What wasn't tested from the promote?

  • deb/apt/rpm/yum repo promotion changes -- these are skipped for dev builds. I can't effectively test these without cutting a real release on v10 (or v11, once it is out of pre-release).

All the testing above was performed with all the changes in this branch plus:

See the following for the diff between what was tested and what is in this branch: walt/role-assumption...walt/role-assumption-test

Notes

I chose to perform role assumption in a different step than the role is used in. This is a bit more verbose, but it is a reasonable simulacra of how we'll handle creds eventually in GitHub actions. Furthermore, it prevents the code using AWS credentials from ever having access to the long lived creds -- it'll only ever see the short lived role sessions. So if someone were to exfiltrate creds with anything short of drone signed code, they'll only get a short lived session.

plugins/s3 has been entirely removed, as it didn't seem compatible with pre-assumed roles.

@wadells wadells force-pushed the walt/role-assumption branch 2 times, most recently from 3aa848c to d6aabd7 Compare October 8, 2022 22:35
@wadells wadells force-pushed the walt/role-assumption branch from d6aabd7 to d9d5148 Compare October 8, 2022 22:49
@wadells wadells marked this pull request as ready for review October 8, 2022 23:49
@github-actions github-actions Bot requested a review from jimbishopp October 8, 2022 23:50
@wadells wadells force-pushed the walt/role-assumption branch from d9d5148 to 1e155d3 Compare October 8, 2022 23:51
fheinecke
fheinecke reviewed Oct 10, 2022
View reviewed changes
Comment thread .drone.yml
justinas
justinas reviewed Oct 10, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@justinas justinas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nits mostly

Comment thread dronegen/aws.go Outdated
Comment thread dronegen/relcli.go
Comment thread dronegen/relcli.go
Comment thread dronegen/relcli.go
Comment thread dronegen/aws.go Outdated
@wadells wadells requested a review from fheinecke October 10, 2022 18:21
@wadells wadells mentioned this pull request Oct 10, 2022
Merged
wadells added a commit that referenced this pull request Oct 10, 2022
@wadells
Add AWS roles all drone pipelines
3f0833b 
Backports #17201

Contributes to https://github.com/gravitational/SecOps/issues/213
@wadells wadells enabled auto-merge (squash) October 10, 2022 20:14
wadells added a commit that referenced this pull request Oct 10, 2022
@wadells
Add AWS roles to Drone pipelines
5dcce82 
Backports #17201

Contributes to gravitational/SecOps#213
@wadells wadells mentioned this pull request Oct 10, 2022
Merged
@wadells wadells merged commit acbf575 into master Oct 10, 2022
@wadells wadells deleted the walt/role-assumption branch October 10, 2022 20:33
wadells added a commit that referenced this pull request Oct 10, 2022
@wadells
Add AWS roles all drone pipelines (#17237)
cc2b15c 
Backports #17201

Contributes to https://github.com/gravitational/SecOps/issues/213
@wadells wadells mentioned this pull request Oct 10, 2022
Merged
reedloden pushed a commit that referenced this pull request Oct 11, 2022
@wadells
[v10] Refactor Drone Pipelines to use AWS role assumption (#17244)
3dd2fad 
* Flip the order of the quay and ecr pipelines

These are reversed in master/v11 (ecr first, and then quay) and having
the order consistent across branches will make future ports easier.

* Add AWS roles to Drone pipelines

Backports #17201

Contributes to gravitational/SecOps#213
This was referenced Oct 11, 2022
Merged
Merged
wadells added a commit that referenced this pull request Oct 11, 2022
@wadells
Add AWS Roles to Drone pipelines (#17274)
e6e8709 
This is follow up to #17201, that fixes the buildbox pipeline error seen here:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::146628656107:user/teleport_build_user_read_only is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action

Contributes to gravitational/SecOps#213.
@wadells wadells mentioned this pull request Oct 11, 2022
Merged
wadells added a commit that referenced this pull request Oct 13, 2022
@wadells
Add AWS Roles to Drone pipelines
787868b 
This is follow up to #17201, that fixes the buildbox pipeline error seen here:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::146628656107:user/teleport_build_user_read_only is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action
wadells added a commit that referenced this pull request Oct 13, 2022
@wadells
Add AWS Roles to Drone pipelines
58b4441 
This is follow up to #17201, that fixes the buildbox pipeline error seen here:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::146628656107:user/teleport_build_user_read_only is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action
@wadells wadells mentioned this pull request Oct 13, 2022
Closed
wadells added a commit that referenced this pull request Oct 13, 2022
@wadells
Add AWS Roles to Drone pipelines
0d2ac7b 
This is follow up to #17201, that fixes the buildbox pipeline error seen here:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::146628656107:user/teleport_build_user_read_only is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action
This was referenced Oct 13, 2022
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@fheinecke fheinecke fheinecke approved these changes

@justinas justinas Awaiting requested review from justinas

+1 more reviewer

@reedloden reedloden reedloden approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@wadells @r0mant @reedloden @justinas @fheinecke