Skip to content

Rotating Secrets

Jump to bottom
jtdevos edited this page Jun 27, 2024 · 17 revisions

In order to maintain the security of any environment that contains production like data, we are enforcing a credential rotation every quarter. We will rotate the account passwords for any of the test users in any of the environments that contain production-like data.

Account Level Users

Circle CI Users

The CircleCI user is an IAM user that needs to be rotated in both the Production and Staging AWS Accounts. To help simplify this process, we have made a script that deletes old access keys and outputs new keys to enter into the CircleCI interface.

  1. Run the following script:

    npm run secrets:rotate-circleci

  2. The script outputs new keys to copy and paste into the CircleCI web interface.

Environment Users

Environment with Production Data

Any environment with production like data will have a USTC_ADMIN_USER and USTC_ADMIN_PASS associated with it that is used to create Test Users and perform admin-level operations. These passwords are stored in AWS Secrets Manager.

Additionally, each environment has a number of test users that are created to help aid testing various workflows. The setup-test-users.sh script runs on every deploy.

To help automate that process, we the following script rotates these secrets:

npm run secrets:rotate-environment

This updates the password in Cognito for the USTC_ADMIN_USER, and then it updates the Secrets value with that new USTC_ADMIN_PASS and DEFAULT_ACCOUNT_PASS so that subsequent deploys will make use of the new value.

NOTE: You will need to run setup-test-users.ts script to update the users or wait for the next deploy. You will also need to run the setup-glued-judges.ts script to update the passwords of the judge users.

DEPLOYING_COLOR=<CURRENT_COLOR> npx ts-node --transpile-only ./scripts/user/setup-test-users.ts 
DESTINATION_TABLE=<SOURCE_TABLE> npx ts-node --transpile-only ./scripts/user/setup-glued-judges.ts

Development Environment with Test Data

If the environment is a development environment and uses the development password for the test users, use the --development flag when calling the rotate-environment script.

npm run secrets:rotate-environment -- --development

AWS environment configuration

Clone this wiki locally