-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regenerate NASA SMCE AWS account credentials every 60 days #2434
Comments
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
I'm authenticating myself like this:
|
@consideRatio there is a command in the deployer that will handle MFA of the CLI for these kinds of accounts. Yuvi added it up after I struggled with the bucket setup. Edited to add link (edited again to update link by erik): infrastructure/deployer/commands/exec/cloud.py Lines 16 to 52 in 124b4ae
|
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
I'm now having to do this for
EDIT: I circumvented this by running a |
I also generalised the title of this issue a bit |
We might need a new iteration for |
@damianavila It may need to happen now. There is no Access Key associated with the
|
@sgibson91, can you take care of this one before EOW? |
Done |
Re-generated all creds again to keep them aligned as part of doing it for esdis where the deployer key had been deleted for some reason. |
@2i2c-org/engineering I'll assign myself to do regular checks of this every ~50 days or so, aiming for between 1-2 weeks notice.
|
This is amazing, thank you so much @consideRatio |
5th Jan I regenerated the deployer credentials for all nasa hubs, but they are now no longer valid and needs to be re-generated even though 60 days hasn't passed. Looking at the AWS console, nasa-ghg's key for the With that, I can conclude that the credentials apparently lived Jan 5th ~12 AM when I re-created them in #3575, and that they kept working Feb 10 ~7 AM, but stopped working sometime after that and Feb 12 ~10 PM. I think this concludes that the security credentials for our deployer script seems to be getting invalidated more often than every 60 days, based on evidence between after 36-38 days. I have security credentials that have been around and remained active for 40 days, so I think this may be specifically for the hub-deployer user that stands out by not being required to use 2FA thanks to an exception. I think the required action plan is to re-generated the deployer script once a month instead then. |
Ah, I think the issue is that the instructions didn't replace existing credentials, they only ensured new ones if the previous were gone. I've updated the instructions to use a flag for terraform apply, making us get what we want done more directly: I think due to this, my conclusions on needing to re-generate more often than every 60 days was incorrect - we just had to make sure we successfully re-generated credentials even if there were existing non-expired credentials around already. |
I've scheduled myself to re-generate 23 April, in two weeks. |
I've been asked to not do this task by @yuvipanda, but credentials will expire ~now or have already expired I think, so I've unassigned myself and moved this to the top of the refined backlog. |
Thank you for not doing it, @consideRatio. It should be handled as part of #4114. Those credentials have expired, because ideally we would have gotten to this as part of last refinement. But we didn't, and that's ok. I'm going to actually close this task, as we'll instead be generating new tasks each time based on the calendar mentioned there. |
Cluster status
Every 60 days / two months, we need to re-generate the deployer credentials for each nasa AWS account we manage, this issue describes the status of the accounts and how to do it. Update the status below if you have re-generated credentials.
nasa-esdis
nasa-ghg
nasa-veda
Upcoming regeneration: 23 April
How to re-generate credentials for deployer
#2339 is related, but this is specifically for the continuous deployer key for individual nasa AWS accounts.
Here's the how to on doing this:
cd terraform/aws
The text was updated successfully, but these errors were encountered: