README
¶
concourse-sts-lambda
Lambda function to rotate AWS credentials used by Concourse teams. See the terraform subdirectory for an example that should work (with minimal effort).
Why?
Our CI/CD (in our case Concourse) needs AWS credentials to deploy Terraform templates. Since we are sharing workers between teams, the instance profile itself has no privileges. And so, we need to pass in credentials to the tasks which require them.
Instead of having individual teams being responsible for their CI credentials, we can use this Lambda function to write temporary credentials to a specific teams Concourse secrets, for one or more accounts.
How?
In short:
- This Lambda function is deployed to the same account as our Concourse.
- Individual accounts add a CI role with the Lambda functions execution role as a trusted entity.
- A team adds a CloudWatch event rule with the configuration for which accounts they need access to.
- Lambda assumes the roles specified in the configuration and rotates the temporary AWS credentials for said team on a 50min schedule.
- ???
- Profit.
Usage
Be in the root directory:
make release
You should now have a zipped Lambda function. Next, edit terraform/example.tf to your liking. When done, be in the terraform directory:
terraform init
terraform apply
NOTE: The aws/secretsmanager KMS Key Alias has to be created/exist before the lambda is deployed.
Team configuration
Example configuration for a Team (which is then passed as input in the CloudWatch event rule):
{
"name": "example-team",
"accounts": [{
"name": "divx-lab",
"roleArn": "arn:aws:iam::123456789999:role/machine-user-example"
}]
}
You can also optionally specify the duration the sts assume role call should use:
{
"name": "example-team",
"accounts": [{
"name": "divx-lab",
"roleArn": "arn:aws:iam::123456789999:role/machine-user-example",
"duration": 7200
}]
}
Note: Role chaining has a limit on duration to be maximum 1 hour.
When the function is triggered with this input it will assume the
roleArn, and write the credentials to (by default):
/concourse/example-team/divx-lab-access-key/concourse/example-team/divx-lab-secret-key/concourse/example-team/divx-lab-session-token
Note that you can have multiple accounts, in which case the account name must be unique to avoid overwriting the secrets in Secrets manager.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Account ¶
type Account struct {
Name string `json:"name"`
RoleArn string `json:"roleArn"`
Duration int64 `json:"duration"`
}
Account represents the configuration for an assumable role.
type Configuration ¶ added in v0.9.0
Configuration passed to the Lambda, pointing to an S3 object with the team configuration.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles API calls to AWS.
func NewManager ¶
NewManager creates a new manager from an existing AWS session.
func NewTestManager ¶
func NewTestManager(sm SecretsClient, sts STSClient, s3 S3Client) *Manager
NewTestManager ...
func (*Manager) AssumeRole ¶
AssumeRole on the given role ARN and the given team name (identifier).
func (*Manager) ReadConfig ¶ added in v0.9.0
ReadConfig from S3.
func (*Manager) WriteCredentials ¶
func (m *Manager) WriteCredentials(creds *sts.Credentials, path string) error
WriteCredentials handles writing a set of Credentials to the parameter store.
type SecretPath ¶ added in v0.2.0
SecretPath represents the path used to write secrets into Secrets manager.
func NewSecretPath ¶ added in v0.2.0
func NewSecretPath(team, account, template string) *SecretPath
NewSecretPath ...
func (*SecretPath) String ¶ added in v0.2.0
func (p *SecretPath) String() (string, error)
type SecretsClient ¶ added in v0.3.0
type SecretsClient secretsmanageriface.SecretsManagerAPI
SecretsClient for testing purposes.
Source Files
Directories