-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add script to sign arbitrary files using the key stored in Secrets Manager #3
Conversation
Please add a PR description that describes the motivation and some context |
You might want to change the destination of this PR so it won't be against master as long as you haven't committed your changes to master, because at the moment it seems like this has all the doc changes as well (you can change the destination branch from the UI) |
sign.sh
Outdated
passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])") | ||
|
||
echo "Importing key..." >&2 | ||
gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this something we need to install or add to awslabs/superchain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both gpg
and AWS CLI are already in there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay, cool. I don't have it on my Mac but I guess signing is only done on the build fleet anyway.
sign.sh
Outdated
|
||
|
||
tmpdir=$(mktemp -d) | ||
trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't shred
on my machine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+have ?
Oh, macOS... :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes... Try to keep dep surface to a minimum when writing bash scripts. You don't want to know what's up on Windows...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well yeah, but neither do you have gpg
on your machine, apparently. This is designed to run inside the Docker, and the Docker has shred
.
sign.sh
Outdated
# Use secrets manager to obtain the key and passphrase into a JSON file | ||
echo "Retrieving key..." >&2 | ||
aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt | ||
passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I rather use node for JSON-related tasks (it is JS afterall)
sign.sh
Outdated
|
||
# Use secrets manager to obtain the key and passphrase into a JSON file | ||
echo "Retrieving key..." >&2 | ||
aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I rather we don't specify a region here. I believe the default region is the region where the build task runs, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the secrets do live in a particular region (I've created them there), which is only incidentally the same one as the one where the build runs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make to make a cross-region call if our build fleet is deployed elsewhere or to put the secrets alongside each build fleet? (hypothetical of course).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question. I'll remove the region, with the result that the call will fail if we fail to colocate the build with the secrets. I guess that's preferable to "accidentally" placing them far away.
By the way, I will also add the key provisioning to the CI/CD stack.
Dry run? |
packages/docs/package.json
Outdated
@@ -2,16 +2,13 @@ | |||
"name": "docs", | |||
"private": true, | |||
"version": "0.6.0", | |||
"description": "AWS CDK Documentation", | |||
"description": "Generates the documentation for all packages", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rebase
packages/docs/src/concepts.rst
Outdated
@@ -50,26 +50,32 @@ to instantiate the ``StorageLayer`` construct. | |||
|
|||
When you initialize a construct, | |||
add the construct to the construct tree by specifying the parent construct as the first initializer parameter, | |||
a unique (to your stack) identifier for the construct as the second parameter, | |||
and an optional set of properties for the final parameter, | |||
a unique identifier for the construct as the second parameter, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still seeing doc updates here... something is weird
# This is the 1st commit message: Add Identity Pool construct # This is the commit message #2: Bug fixes # This is the commit message #3: Bug fixes # This is the commit message #4: Formatting # This is the commit message #5: Add construct methods # This is the commit message #6: Remove flat # This is the commit message #7: Fix issues
Added Note 3 -Additional note that certain expected defaults for parameters may be different. **⚠ Note aws#3**: Expected defaults for certain parameters may be different with the hotswap parameter. For example, an ECS service's minimum healthy percentage will currently be set to 0. Please review the source accordingly if this occurs.
This adds a script that loads a secret PGP key from secrets manager and signs arbitrary artifacts with it, creating detached (FILE.sig) signatures.
Not integrated with the
buildspec.yaml
yet. We should do that when we're builder superzips.