Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update pipeline queue and role #545

Merged
merged 1 commit into from Mar 6, 2024
Merged

Update pipeline queue and role #545

merged 1 commit into from Mar 6, 2024

Conversation

amu-g
Copy link
Contributor

@amu-g amu-g commented Mar 6, 2024

Historically, we have used the deploy queue to manage resources in the production account. These agents run inside the account, and have fairly broad permissions that are used by several pipelines.

Instead of relying on the agents to have the permissions we need, we can use an OIDC assumable role with custom permissions. The benefits being:

  • The role can be tightly scoped to the permissions needed to add emojis
  • The role is only assumable by the main branch of emojis pipeline
  • We can run the deploy steps on lower privilege agents

This pattern was recently used in the https://github.com/buildkite/site/pull/2898.

A new role has been created for emojis in https://github.com/buildkite/ops/pull/2149, that has permissions to interact with S3. However, we may need to tweak the permissions to add anything that's found to be missing for sync.

The env var ROLE_ACCOUNT_ID has been added in the pipeline settings.

Once the pipeline is working smoothly, we can remove buildkite/emojis from the allowlist on the deploy agents.

JuanitoFatas
JuanitoFatas approved these changes Mar 6, 2024
View reviewed changes
Copy link
Member

@JuanitoFatas JuanitoFatas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great 😍👏🏻

@amu-g amu-g merged commit 3181e40 into main Mar 6, 2024
1 check passed
@amu-g amu-g deleted the plt-2174-update-pipeline branch March 6, 2024 04:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JuanitoFatas JuanitoFatas JuanitoFatas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@amu-g @JuanitoFatas