modernisation-platform
modernisation-platform copied to clipboard
ministryofjustice
Replace CICD user with OIDC
User Story
As a MP user I want to use OIDC instead of AWS credentials to authenticate So that I can have an easy and secure application authentication process
User Type(s)
MP User
Value
More secure, no credentials to manage and rotate
Assumptions / Hypothesis / Questions / Unknowns
Hypothesis
If we switch to OIDC Then it will be more secure and easier for users to manage
Proposal
- Add to environments file for each app attribute to list repos they want the CICD to run from.
- [Add application cicd role](https://github.com/ministryofjustice/modernisation-platform-github-oidc-role to create additional role) to each account which has the same policies as the CICD user attached and is accessible to each repo defined in 2.
- Move any users using current cicd user over to OIDC.
- Remove old cicd users.
Unknowns
Who is using the cicd user. How much effort to switch them over. Should we remove the role code from the provider repo so that we have one oidc-provider repo and one oidc-role repo, rather than a provider repo which does both the provider and the role and a separate repo for just the role.
Definition of done
- [ ] Add to environments file for each app attribute to list repos they want the CICD to run from.
- [ ] [Add application cicd role](https://github.com/ministryofjustice/modernisation-platform-github-oidc-role to create additional role) to each account which has the same policies as the CICD user attached and is accessible to each repo defined in 2.
- [ ] Move any users using current cicd user over to OIDC.
- [ ] Remove old cicd users.readme has been updated
- [ ] user docs have been updated
- [ ] another team member has reviewed
- [ ] tests are green
- [ ] UR test OR added to continual research plan
Reference
How to write good user stories
as part of this ticket we will pick up https://github.com/ministryofjustice/modernisation-platform/issues/4251
Raised ticket with AWS in example-development
https://eu-west-2.console.aws.amazon.com/cloudtrail/home?region=eu-west-2#/events?ResourceName=arn:aws:iam::083957762049:role/modernisation-platform-oidc-cicd
Please reply to the ticket, I was milk monitor today and didn't get around to it. Support case in example
Hello,
Thank you for contacting AWS Premium Support. My name is Mossy and I will be assisting you with your case today.
I understand you are getting "An unknown error occurred" error messages and would like to know the reason behind these errors. Please feel free to correct me if I have misunderstood your issue.
From using internal tools I queried your CloudTrail logs and can see many 'Access Denied' errors when using the 'AssumeRoleWithWebIdentity' API call. Is this the same behavior you are seeing on your end ?
I then examined the trust policy for your role 'modernisation-platform-oidc-cicd' and can see that there may be a misconfiguration of the trust policy. In the "sub" section of the trust policy it contains the value "repo:ministryofjustice/modernisation-platform-configuration-management". However, in the CloudTrail logs it shows the "sub" as being "repo:ministryofjustice/modernisation-platform-configuration-management:pull_request". This may be the reason that the operation is being denied.
In order to test this and mitigate this issue can you please modify the trust policy so that it contains a wildcard at the end of the "sub" value. I will paste a sample below.
"repo:ministryofjustice/modernisation-platform-configuration-management:*"
This aligns with the following GitHub documentation[1] which I will link below that shows the "sub" value containing a wildcard at the end.
Please test this operation again and let me know if your issue persists. If you have any further questions or issues let me know and I will do my very best to assist.
Have a great day!
Hello,
Thank you for contacting AWS Premium Support. My name is Mossy and I will be assisting you with your case today.
I understand you are getting "An unknown error occurred" error messages and would like to know the reason behind these errors. Please feel free to correct me if I have misunderstood your issue.
From using internal tools I queried your CloudTrail logs and can see many 'Access Denied' errors when using the 'AssumeRoleWithWebIdentity' API call. Is this the same behavior you are seeing on your end ?
I then examined the trust policy for your role 'modernisation-platform-oidc-cicd' and can see that there may be a misconfiguration of the trust policy. In the "sub" section of the trust policy it contains the value "repo:ministryofjustice/modernisation-platform-configuration-management". However, in the CloudTrail logs it shows the "sub" as being "repo:ministryofjustice/modernisation-platform-configuration-management:pull_request". This may be the reason that the operation is being denied.
In order to test this and mitigate this issue can you please modify the trust policy so that it contains a wildcard at the end of the "sub" value. I will paste a sample below. "repo:ministryofjustice/modernisation-platform-configuration-management:*"
This aligns with the following GitHub documentation[1] which I will link below that shows the "sub" value containing a wildcard at the end.
Please test this operation again and let me know if your issue persists. If you have any further questions or issues let me know and I will do my very best to assist.
Have a great day!
References: [1] https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence.
Best regards, Mossy S. Amazon Web Services
I've updated the subject value through this PR: https://github.com/ministryofjustice/modernisation-platform/pull/4677 However, looking in the cloudtrail logs for the example account still shows an unknown error: https://eu-west-2.console.aws.amazon.com/cloudtrail/home?region=eu-west-2#/events/9774b62d-d9fa-4a86-8544-1a27e4da83e2 I've updated the support case accordingly
Raised case in the main Modernisation Platform account - 13520776201 - to allow AWS Support to observe successful authentication behaviour.
Updated the version of the credentials provider used in GitHub, and it looks like it now successfully authenticates and completes the aws s3 ls command:
- https://eu-west-2.console.aws.amazon.com/cloudtrail/home?region=eu-west-2#/events/e1c22688-c0d3-4ab3-ab82-9502b897749e
- https://github.com/ministryofjustice/modernisation-platform-configuration-management/actions/runs/5831574052/job/15815250311
https://github.com/ministryofjustice/modernisation-platform-configuration-management/actions/runs/5831574052/job/16063863153
Hey it works.. wish i saw the comment above before but hey haha.