From 411aab5b29190493c375dbea1ece03c173769052 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Tue, 30 Jul 2024 12:56:21 -0700 Subject: [PATCH 1/2] chore(Sonatype): Sonatype Migration to User Tokens --- cfn/ci_cd.yml | 2 +- codebuild/release/release-prod.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index bee48fc6..3b7e1dbe 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -379,7 +379,7 @@ Resources: "Resource": [ "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-User-Token-zK61bM", "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U" ], "Action": "secretsmanager:GetSecretValue" diff --git a/codebuild/release/release-prod.yml b/codebuild/release/release-prod.yml index b15b5c3f..a3e7e68b 100644 --- a/codebuild/release/release-prod.yml +++ b/codebuild/release/release-prod.yml @@ -9,8 +9,8 @@ env: secrets-manager: GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase - SONA_USERNAME: Sonatype-Team-Account:Username - SONA_PASSWORD: Sonatype-Team-Account:Password + SONA_USERNAME: Sonatype-User-Token:username + SONA_PASSWORD: Sonatype-User-Token:password phases: install: From 020c81fcfc5128ed53707098e6cbda2fd8547b34 Mon Sep 17 00:00:00 2001 From: Ritvik Kapila Date: Tue, 30 Jul 2024 14:24:49 -0700 Subject: [PATCH 2/2] updated cfn template to remove escalation of privilege by CI project --- cfn/ci_cd.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index 3b7e1dbe..e5636964 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -137,10 +137,9 @@ Resources: ManagedPolicyArns: - !Ref CryptoToolsKMS - !Ref CodeBuildBatchPolicy - - !Ref CodeBuildBasePolicy + - !Ref CodeBuildBasePolicyCI - !Ref SecretsManagerPolicyCI - !Ref ParameterStorePolicy - - !Ref CodeBuildBasePolicyCI - !Ref CodeBuildCISTSAllow - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -194,9 +193,7 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release", - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI", - "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-CI" ], "Action": [ "codebuild:StartBuild", @@ -221,7 +218,7 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release" + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-Release" ], "Action": [ "codebuild:StartBuild", @@ -244,8 +241,6 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", - "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-CI:*", "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-Release", @@ -305,7 +300,8 @@ Resources: "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:GetLogEvents" ] }, { @@ -331,7 +327,7 @@ Resources: "codebuild:BatchPutCodeCoverages" ], "Resource": [ - "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*" + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/${ProjectName}-CI-*" ] } ]