Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eliminate long-lived IAM access keys. #1895

Open
sengi opened this issue Mar 11, 2024 · 3 comments
Open

Eliminate long-lived IAM access keys. #1895

sengi opened this issue Mar 11, 2024 · 3 comments
Assignees
@theseanything

Comments

@sengi
Copy link
Contributor

sengi commented Mar 11, 2024
edited

A few GOV.UK applications are still using long-lived IAM creds (AKIA... access keys) to authenticate to AWS services such as S3. This dates all the way back to when GOV.UK was hosted outside AWS in colo facilities. We shouldn't be using these any more.

We've already dealt with most of the easy cases. The remaining ones are probably just the few apps that use Fog. Fog rolls its own when it comes to authenticating to AWS and doesn't work well with the more modern authentication methods like instance profile and IRSA.

alphagov/content-data-admin#1377 and alphagov/support-api#911 are examples of replacing Fog with the standard AWS client library.

We can then use instance profile creds or IRSA for these apps and get rid of the long-lived keys and the secrets that store them.
@sengi sengi self-assigned this Mar 11, 2024
@sengi sengi mentioned this issue Mar 11, 2024
Merged
sengi added a commit that referenced this issue Mar 14, 2024
@sengi
Remove support-api's long-lived IAM creds in prod.
ea570ba 
See:

- #1896
- #1895
- alphagov/support-api#911
This was referenced Mar 14, 2024
Merged
Merged
@sengi
Copy link
Contributor Author

sengi commented Mar 14, 2024
edited

Two remaining: specialist-publisher and content-data-admin. (edit: sorry, forgot content-data-admin got done)

This was referenced Mar 14, 2024
Merged
Merged
@theseanything
Copy link
Contributor

Created a PR to remove Fog from specialist-publisher: alphagov/specialist-publisher#2575

@theseanything
Copy link
Contributor

I think dependency of Fog has also been removed from content-data-admin: alphagov/content-data-admin#1377

@sengi sengi assigned theseanything and unassigned sengi Apr 3, 2024
@theseanything theseanything mentioned this issue Apr 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theseanything theseanything

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sengi @theseanything