Skip to content

Commit

Permalink
ci: split aws credentials in two separate users with scoped perms
Browse files Browse the repository at this point in the history 
This commit changes our CI to use two separate IAM users to
authenticate with AWS:

* ci--rust-lang--rust--sccache: has access to the rust-lang-ci-sccache2
  S3 bucket and its credentials are available during the whole build.
* ci--rust-lang--rust--upload: has access to the rust-lang-ci2 S3 bucket
  and its credentials are available just during the upload step.

The new tokens are available in the `prod-credentials` library.
  • Loading branch information
@pietroalbini @Mark-Simulacrum
pietroalbini authored and Mark-Simulacrum committed Sep 21, 2019
1 parent 73c70ca commit e8d2957
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 7 deletions.
2 changes: 1 addition & 1 deletion src/ci/azure-pipelines/auto.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ trigger:
- auto

variables:
- group: real-prod-credentials
- group: prod-credentials

jobs:
- job: Linux
Expand Down
2 changes: 1 addition & 1 deletion src/ci/azure-pipelines/master.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ trigger:
- master

variables:
- group: real-prod-credentials
- group: prod-credentials

pool:
vmImage: ubuntu-16.04
Expand Down
11 changes: 7 additions & 4 deletions src/ci/azure-pipelines/steps/run.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,8 @@ steps:
env:
CI: true
SRC: .
AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
AWS_ACCESS_KEY_ID: $(SCCACHE_AWS_ACCESS_KEY_ID)
AWS_SECRET_ACCESS_KEY: $(SCCACHE_AWS_SECRET_ACCESS_KEY)
TOOLSTATE_REPO_ACCESS_TOKEN: $(TOOLSTATE_REPO_ACCESS_TOKEN)
condition: and(succeeded(), not(variables.SKIP_JOB))
displayName: Run build
Expand All @@ -192,7 +193,8 @@ steps:
fi
retry aws s3 cp --no-progress --recursive --acl public-read ./$upload_dir s3://$DEPLOY_BUCKET/$deploy_dir/$BUILD_SOURCEVERSION
env:
AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID)
AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY)
condition: and(succeeded(), not(variables.SKIP_JOB), or(eq(variables.DEPLOY, '1'), eq(variables.DEPLOY_ALT, '1')))
displayName: Upload artifacts

Expand All @@ -201,7 +203,8 @@ steps:
# errors here ever fail the build since this is just informational.
- bash: aws s3 cp --acl public-read cpu-usage.csv s3://$DEPLOY_BUCKET/rustc-builds/$BUILD_SOURCEVERSION/cpu-$SYSTEM_JOBNAME.csv
env:
AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
condition: variables['AWS_SECRET_ACCESS_KEY']
AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID)
AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY)
condition: variables['UPLOAD_AWS_SECRET_ACCESS_KEY']
continueOnError: true
displayName: Upload CPU usage statistics
2 changes: 1 addition & 1 deletion src/ci/azure-pipelines/try.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ trigger:
- try

variables:
- group: real-prod-credentials
- group: prod-credentials

jobs:
- job: Linux
Expand Down

0 comments on commit e8d2957

Please sign in to comment.