[env-kvstore]: tool to retrieve CI/CD secrets and vars from AWS Secrets#460
[env-kvstore]: tool to retrieve CI/CD secrets and vars from AWS Secrets#460
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
| // accepts an optional map pointer to return specific claims by key. | ||
| func parseClaims(label, token string, returnClaims *map[string]any) error { | ||
| claims := jwt.MapClaims{} | ||
| // Signature will be verified by Cognito or STS, we can skip verification |
There was a problem hiding this comment.
Can you elaborate? Why is it safe to trust the claims in the JWT without first verifying the signature?
There was a problem hiding this comment.
The only GHA token claim values we use are as follows:
runIDandshaare concatenated to create a unique session name used during role assumption. AWS IAM policies require these match role session tags.enterprise,repositoryandenvironmentare used to generate names of Secrets Manager secrets that will be retrieved. Access to retrieve the secrets is gated by an IAM Role policy that requires a tagged session.
In both cases, a role session with tags is a prerequisite for accessing anything in AWS. Role assumption requires a Cognito token from a specific Identity Pool. If the Cognito Identity pool is presented with a forged GitHub token it will fail to produce a Cognito token so no tagged role session can be obtained.
Fundamentally, this GitHub action implements a compliant client, rather than "enforce" any rules.
The TokenExchanger conforms with the rule "SessionName must be runID@sha". Enforcement is through the IAM role trust policy.
shared-workflows/tools/env-kvstore/README.md
Lines 75 to 110 in fdff6ca
The KVStore getter will conform with the rule on how Secrets Manager secrets are named for each repository. Enforcement relies on the IAM Role Policy (ABAC).
shared-workflows/tools/env-kvstore/README.md
Lines 119 to 132 in fdff6ca
Separately, the Cognito Identity Pool enforces the rule that the token needs to be from our GitHub organization because it relies on the Identity Provider.
shared-workflows/tools/env-kvstore/README.md
Lines 44 to 60 in fdff6ca
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Taras <9948629+taraspos@users.noreply.github.com>
infer account, region from role, idPool
taraspos
left a comment
taraspos
left a comment
There was a problem hiding this comment.
Approved left bunch of small nits and suggestions.
bpdohall
force-pushed
the
brendan/env-kvstore-initial-commit
branch
from
383e12a to
1467298
Compare
logand22
left a comment
logand22
left a comment
There was a problem hiding this comment.
Don't want to continue to delay the release of this over command line stuff. So here's an approval. It's just that the current usage of cobra doesn't really add much or follow the pattern.
In my earlier feedback I didn't realize you were only creating a single command. In which I case I don't think you need to introduce additional dependencies at all.
5 participants
Initial PR to add a shared workflow enabling replacement of GitHub secrets and variables with a key-value store backed by AWS Secrets Manager.
The first commit here adds the token exchange behaviour which allows a GitHub workflow to obtain an AWS role session having session tags that match the OIDC claims from a GitHub token.
RFD reference: https://github.com/gravitational/cloud/blob/master/rfd/0193-Replace-GitHub-Secrets.md
Example run output: https://github.com/gravitational/bpdohall-platformops-gha/actions/runs/22505998282/job/65204598612#step:6:135