cloud-platform icon indicating copy to clipboard operation
cloud-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Cloud Platform Concourse GH App: Token permissions

Open sj-williams opened this issue 8 months ago • 1 comments

Background

We had an issue 20/06/24 with the github_actions_secrets_token , in which the token no longer worked and any environments apply runs that invoked GitHub resources would fail on 403 resource not accessible by integration errors.

The token is created and managed within our GitHub App : Cloud Platform Concourse, which does define permissions for the token; however it is apparent that the permissions are inherited from the user who ran the token generating script. The original token was created by Poornima (who had organisation owner level permissions), thus had the ability to read/write vars and secrets in org repos. When her GH user was offboarded, the token & its permissions became invalid.

We resolved this by having the other CP team member with org owner permissions re-generate another new token.

We need to either:

  • find a way to ensure permissions of Concourse App generated tokens can be reliably created by any member of CP

  • find out if the concourse-bot GitHub user can be set with the necessary permissions so that we have a machine user to prevent similar events in the future.

sj-williams avatar Jun 21 '24 07:06 sj-williams