UNCLASSIFIED - NO CUI

Skip to content

remove AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID in favor of service account on the runner

Rob McCarthy requested to merge cosign-irsa into main

Description

Remove the use of AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID from cosign.py. The terraform in https://repo1.dso.mil/ironbank-tools/infra/ironbank-bootstrap/-/merge_requests/1190 adds SA ("sign") annotation to retrieve the ASYMMETRIC KMS keypair from AWS.

Risk

Risk of all container signatures breaking for one cycle once we bump IB_MODULES_TAG to include this MR.

Rollback Plan

The user with access to the KMS key still exists in our AWS account, so it will simply be a matter of reverting the IB_MODULES_TAG and restoring the COSIGN_AWS_ACCESS_KEY_ID and COSIGN_AWS_SECRET_ACCESS_KEY CI vars under /dsop.

Testing

These changes have been tested in Mario. We will further test the new certificate obtained from CNAP by creating a separate build in production (https://repo1.dso.mil/dsop/ironbank-pipelines/pipelines-runner-dev with new tag).

Merge request reports