adoptium
Document automation credentials
We have some automation bots used for access in jenkins and potentially elsewhere. From a security perspective we should ensure they are documented somewhere including what access they have and what they are used for.
@gdams Can you start the work on this please since I think you've been involved in putting some of the automation in jenkins/github that uses authentication so should be able to provide a good base for additions. A list of automation IDs and what they do / have access to is good for the project and will ensure we keep on top of access control and avoiding potential duplication.
I suggest what we have for each automated credential is to have clarity on:
- A name for the credential (e.g. what it is referenced as in jenkins/actions/etc)
- Who created it / has access to manage it on the source system where it was created?
- Where is the credential stored so it can be recovered in the case of a problem?
- Where the credential is used? (What would be affected if it disappeared was changed)
- Identify the risks of the credential was compromised
- What would be required if the credential is compromised? (i.e. how could someone regenerate it, location in the source UI etc, and who could do it)
SCOPE
We currently have a total of 38 credentials listed in https://ci.adoptopenjdk.net/credentials/ so I would suggest we start with that list and understand which are in use and which, if any, we can remove from there. We should also look at doing the same for anything that is in the secrets repository if it's not in the jenkins credential list.
Private spreadsheet has been shared with relevant parties in order to collate this information
After review today with @karianna and @gdams 19 of the IDs are deletion candidates. Given we are close to the next set of quarterly releases we will not begin removing them yet, but will hold off until after the release cycle.