Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce privileges required to invoke promote-release #442

Open
3 of 5 tasks
pietroalbini opened this issue Jul 13, 2024 · 0 comments
Open
3 of 5 tasks

Reduce privileges required to invoke promote-release #442

pietroalbini opened this issue Jul 13, 2024 · 0 comments

Comments

@pietroalbini
Copy link
Member

pietroalbini commented Jul 13, 2024

Me and @Mark-Simulacrum with our release hats have been thinking on how to securely expand the permissions to publish new releases to the wider release team. This became possible thanks to the effort from both Mark (mostly) and me (a bit) to automate more and more of the rustc release process, to the point that no privileged access is required now except for actually starting CodeBuild.

We had a discussion a few weeks ago on #t-release about how to securely grant this access, because just granting the permission to invoke the CodeBuild job would be too risky1.

So the solution that we came up with is to create a new start-release lambda that only accepts the action you want to do (like publish-rust-prod-stable) and is then responsible to invoke CodeBuild. Something similar to the existing promote-release.py but with more guardrails. Then we'd have a small wrapper to invoke the lambda (that I think would be better placed in the rust-lang/release-team repository). This extra layer of indirection would provide the necessary protection to allow t-release to safely start releases.

We would then change promote-release.py to be a more flexible and less opinionated tool to start the promote-release job with arbitrary commands, to allow infra-admins to bypass the restrictions of the lambda in the rare case it's needed.

Tasks

Preview Give feedback
  1. Mark-Simulacrum
  2. Mark-Simulacrum
  3. Mark-Simulacrum

Footnotes

  1. The permission to start a CodeBuild job not only allows to start the job, but also override anything about the build, including the environment variables and the commands being executed. We actually use this to change the environment variables and configure promote-release. Unrestricted access to this though would allow exfiltrating secrets, as an attacker could replace the promote-release invocation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant