Lambda function to rotate AWS credentials used by Concourse teams. See the terraform subdirectory for an example that should work (with minimal effort).
Our CI/CD (in our case Concourse) needs AWS credentials to deploy Terraform templates. Since we are sharing workers between teams, the instance profile itself has no privileges. And so, we need to pass in credentials to the tasks which require them.
Instead of having individual teams being responsible for their CI credentials, we can use this Lambda function to write temporary credentials to a specific teams Concourse secrets, for one or more accounts.
In short:
- This Lambda function is deployed to the same account as our Concourse.
- Individual accounts add a CI role with the Lambda functions execution role as a trusted entity.
- A team adds a CloudWatch event rule with the configuration for which accounts they need access to.
- Lambda assumes the roles specified in the configuration and rotates the temporary AWS credentials for said team on a 50min schedule.
- ???
- Profit.
Be in the root directory:
make release
You should now have a zipped Lambda function. Next, edit terraform/example.tf to your liking. When done, be in the terraform directory:
terraform init
terraform apply
NOTE: The aws/secretsmanager
KMS Key Alias has to be created/exist before the lambda is deployed.
Example configuration for a Team (which is then passed as input in the CloudWatch event rule):
{
"name": "example-team",
"accounts": [{
"name": "divx-lab",
"roleArn": "arn:aws:iam::123456789999:role/machine-user-example"
}]
}
You can also optionally specify the duration the sts assume role call should use:
{
"name": "example-team",
"accounts": [{
"name": "divx-lab",
"roleArn": "arn:aws:iam::123456789999:role/machine-user-example",
"duration": 7200
}]
}
This is useful if you have long running jobs on concourse. The duration should be specified in seconds, and between 1 hour and 12 hours.
When the function is triggered with this input it will assume the
roleArn
, and write the credentials to (by default):
/concourse/example-team/divx-lab-access-key
/concourse/example-team/divx-lab-secret-key
/concourse/example-team/divx-lab-session-token
Note that you can have multiple accounts, in which case the account name must be unique to avoid overwriting the secrets in Secrets manager.