-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fetch access tokens from AWS Secrets Manager
We no longer have non-rotating secrets stored in the repository configuration. Implementation copied and adapted from proof-debugger.
- Loading branch information
1 parent
26e5891
commit a16874a
Showing
6 changed files
with
157 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
These are | ||
[AWS CloudFormation templates](https://aws.amazon.com/cloudformation/resources/templates/) | ||
for maintaining pypi and homebrew credentials used to publish the CBMC viewer. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
Description: | ||
Register the GitHub identity provider with the AWS security token service. | ||
|
||
Resources: | ||
GithubIdentityProvider: | ||
Type: AWS::IAM::OIDCProvider | ||
Properties: | ||
Url: | ||
# The GitHub identity provider supporting OIDC | ||
https://token.actions.githubusercontent.com | ||
ThumbprintList: | ||
# The GitHub certification authority (the signature of its certificate) | ||
- 6938fd4d98bab03faadb97b34396831e3780aea1 | ||
ClientIdList: | ||
# The AWS security token service | ||
- sts.amazonaws.com | ||
|
||
|
||
Outputs: | ||
GithubIdentityProvider: | ||
Value: !Ref GithubIdentityProvider | ||
Export: | ||
Name: GithubIdentityProvider |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
Description: > | ||
Enable storage of access tokens in AWS Secrets Manager and access to the PAT | ||
from the GitHub workflows in model-checking/cbmc-viewer. | ||
Parameters: | ||
GithubRepoOrganization: | ||
Type: String | ||
Description: GitHub organization for the CBMC viewer | ||
Default: model-checking | ||
CbmcViewerRepoName: | ||
Type: String | ||
Description: GitHub repository for CBMC viewer | ||
Default: cbmc-viewer | ||
CbmcViewerPublicationTag: | ||
Type: String | ||
Description: GitHub tag for CBMC viewer triggering the GitHub publication workflow | ||
Default: viewer-* | ||
|
||
Resources: | ||
|
||
BrewBotEmail: | ||
Type: AWS::SecretsManager::Secret | ||
Properties: | ||
Name: BOT_EMAIL | ||
Description: > | ||
The email address to use with Homebrew commits. | ||
BrewToken: | ||
Type: AWS::SecretsManager::Secret | ||
Properties: | ||
Name: RELEASE_CI_ACCESS_TOKEN | ||
Description: > | ||
GitHub access token. | ||
PypiToken: | ||
Type: AWS::SecretsManager::Secret | ||
Properties: | ||
Name: PYPI_ACCESS_TOKEN | ||
Description: > | ||
Pypi access token. | ||
PublisherTokenReader: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
RoleName: PublisherTokenReader | ||
Description: > | ||
This role can retrieve the personal access token for the model | ||
checking publisher in the Microsoft Marketplace. | ||
AssumeRolePolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- Effect: Allow | ||
Principal: | ||
Federated: !ImportValue GithubIdentityProvider | ||
Action: sts:AssumeRoleWithWebIdentity | ||
Condition: | ||
StringEquals: | ||
token.actions.githubusercontent.com:aud: sts.amazonaws.com | ||
StringLike: | ||
token.actions.githubusercontent.com:sub: | ||
!Sub repo:${GithubRepoOrganization}/${CbmcViewerRepoName}:ref:refs/tags/${CbmcViewerPublicationTag} | ||
|
||
Policies: | ||
- PolicyName: PublisherTokenAccess | ||
PolicyDocument: | ||
Version: "2012-10-17" | ||
Statement: | ||
- Effect: Allow | ||
Action: secretsmanager:GetSecretValue | ||
Resource: !Ref BrewBotEmail | ||
- Effect: Allow | ||
Action: secretsmanager:GetSecretValue | ||
Resource: !Ref BrewToken | ||
- Effect: Allow | ||
Action: secretsmanager:GetSecretValue | ||
Resource: !Ref PypiToken |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters