Move towards better secret management

.github/workflows/deploy.yml

@@ -25,17 +25,16 @@ jobs:
           curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
           chmod +x jq
           pip install yq git+https://github.com/tdviet/fedcloudclient.git
-          curl -L https://github.com/oidc-mytoken/client/releases/download/v0.3.0/mytoken_0.3.0_Linux_x86_64.tar.gz \
-            | tar -xzf -
-          mkdir ~/.mytoken
-          curl https://raw.githubusercontent.com/oidc-mytoken/client/master/config/example-config.yaml > ~/.mytoken/config.yaml
       - name: Configure providers access
         env:
-          MYTOKEN: ${{ secrets.MYTOKEN }}
           REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }}
+          ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }}
         run: |
+          # using parametric scopes to only have access to cloud.egi.eu VO
+          SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement"
+          SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu"
           OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \
-                            -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=openid%20email%20profile%20voperson_id%20eduperson_entitlement" \
+                            -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \
                           | jq -r ".access_token")
           echo "::add-mask::$OIDC_TOKEN"
           cd deploy
@@ -54,6 +53,11 @@ jobs:
           sed -i -e "s/deploy_secret/$DEPLOY_OS_TOKEN/" clouds.yaml
           mkdir -p ~/.config/openstack
           touch ~/.config/openstack/secure.yaml
+          FEDCLOUD_LOCKER_TOKEN="$(fedcloud secret locker --oidc-access-token "$OIDC_TOKEN" \
+                                   create --ttl 1h --num-uses 2)"
+          fedcloud secret put deploy "data=$ANSIBLE_SECRETS"
+          echo "::add-mask::$FEDCLOUD_LOCKER_TOKEN"
+          echo "FEDCLOUD_LOCKER_TOKEN=$FEDCLOUD_LOCKER_TOKEN" >> "$GITHUB_ENV"
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -71,16 +75,13 @@ jobs:
       - name: Adjust cloud-init file
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-          ANSIBLE_SECRETS: ${{ secrets.ANSIBLE_SECRETS }}
         run: |
           cd deploy
           sed -i -e "s/%TOKEN%/${{ secrets.GITHUB_TOKEN }}/" cloud-init.yaml
           sed -i -e "s/%REF%/${{ github.sha }}/" cloud-init.yaml
           sed -i -e "s/%SHORT_REF%/$(git rev-parse --short HEAD)/" cloud-init.yaml
           sed -i -e "s#%SLACK_WEBHOOK_URL%#$SLACK_WEBHOOK_URL#" cloud-init.yaml
-          ANSIBLE_ENCODED_SECRETS="$(echo "$ANSIBLE_SECRETS" | base64 -w 0)"
-          echo "::add-mask::$ANSIBLE_ENCODED_SECRETS"
-          sed -i -e "s/%ANSIBLE_SECRETS%/$ANSIBLE_ENCODED_SECRETS/" cloud-init.yaml
+          sed -i -e "s/%FEDCLOUD_LOCKER_TOKEN%/$FEDCLOUD_LOCKER_TOKEN/" cloud-init.yaml
           sed -i -e "s/%CLOUDS_YAML%/$(base64 -w 0 < clouds.yaml)/" cloud-init.yaml
       - name: terraform plan
         id: plan
@@ -132,11 +133,13 @@ jobs:
           terraform output -raw instance-id
       - name: Re-configure providers access
         env:
-          MYTOKEN: ${{ secrets.MYTOKEN }}
           REFRESH_TOKEN: ${{ secrets.REFRESH_TOKEN }}
         run: |
+          # using parametric scopes to only have access to cloud.egi.eu VO
+          SCOPE="openid%20email%20profile%20voperson_id%20eduperson_entitlement"
+          SCOPE="$SCOPE:eduperson_entitlement:urn:mace:egi.eu:group:cloud.egi.eu:role=vm_operator#aai.egi.eu"
           OIDC_TOKEN=$(curl -X POST "https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token" \
-                            -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=openid%20email%20profile%20voperson_id%20eduperson_entitlement" \
+                            -d "grant_type=refresh_token&refresh_token=$REFRESH_TOKEN&client_id=token-portal&scope=$SCOPE" \
                           | jq -r ".access_token")
           echo "::add-mask::$OIDC_TOKEN"
           cd deploy

deploy/cloud-init.yaml

@@ -40,14 +40,14 @@ write_files:
       SLACK_WEBHOOK_URL="%SLACK_WEBHOOK_URL%"
       COMMIT_SHA="%REF%"
       SHORT_COMMIT_SHA="%SHORT_REF%"
+      FEDCLOUD_LOCKER_TOKEN="%FEDCLOUD_LOCKER_TOKEN%"
 
       # get the repo code and untar at cwd
       curl -L -H "Accept: application/vnd.github.v3+raw" \
               "https://api.github.com/repos/EGI-Federation/fedcloud-catchall-operations/tarball/$COMMIT_SHA" | \
               tar xz --strip=1
       cd deploy
-      echo "%ANSIBLE_SECRETS%" | base64 -d > ./secrets.yaml
-      ./deploy.sh "$OAUTH_TOKEN" "$COMMIT_SHA" \
+      ./deploy.sh "$OAUTH_TOKEN" "$COMMIT_SHA" "$FEDCLOUD_LOCKER_TOKEN" \
                   "$SHORT_COMMIT_SHA" "$SLACK_WEBHOOK_URL"
     path: /var/lib/cloud/scripts/per-boot/deploy.sh
     permissions: '0755'

deploy/deploy.sh

@@ -25,6 +25,8 @@ else
 	header="Failed deployment :boom:"
 fi
 
+
+
 # This is a temporary way to get the auto discovery working while we transition for all sites
 # copy the secrets to the /etc/egi/vos dir which is readable from the containers
 cp secrets.yaml /etc/egi/vos/secrets.yaml