Assume IAM role rather than use hardcoded IAM user credentials for build job #126

NoxHarmonium · 2022-09-19T09:33:18Z

Using a role is best practice and gives the following benefits over an IAM user:

We can set the role up so only Github (hopefully at the project/repo level) can assume it, hopefully not any random person who has stolen the credentials
When the role is assumed, the credentials have an expiry so the impact is less when leaked
The auditing is easier, a session name is provided when assuming the role so you know which system is doing the assuming

That's off the top of my head so it might not be 100% correct but I think the gist is correct.

See also:

https://github.com/aws-actions/configure-aws-credentials#credentials
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

NoxHarmonium · 2022-09-19T09:36:24Z

I made a start on this in my WIP branch for issue #43
https://github.com/agiledigital-labs/aws-durable-lambda/blob/issue-43-int-test/cf/ci-role.yaml

NoxHarmonium added the tech-debt Does not affect the end user, but impedes development of the plugin label Sep 19, 2022

NoxHarmonium changed the title ~~Use IAM role rather than IAM user for build job~~ Assume IAM role rather than use hardcoded IAM user credentials for build job Sep 19, 2022

NoxHarmonium mentioned this issue Sep 19, 2022

Use layers to deploy shared libraries to avoid bundler inconsistencies (fixes #42) #124

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Assume IAM role rather than use hardcoded IAM user credentials for build job #126

Assume IAM role rather than use hardcoded IAM user credentials for build job #126

NoxHarmonium commented Sep 19, 2022

NoxHarmonium commented Sep 19, 2022

Assume IAM role rather than use hardcoded IAM user credentials for build job #126

Assume IAM role rather than use hardcoded IAM user credentials for build job #126

Comments

NoxHarmonium commented Sep 19, 2022

NoxHarmonium commented Sep 19, 2022