Rotating Secrets - ustaxcourt/ef-cms GitHub Wiki

In order to maintain the security of any environment that contains production like data, we are enforcing a credential rotation every quarter. We will rotate the account passwords for any of the test users in any of the environments that contain production-like data.

Account Level Users

Circle CI Users

The CircleCI user is an IAM user that needs to be rotated in both the Production and Staging AWS Accounts. To help simplify this process, we have made a script that deletes old access keys and outputs new keys to enter into the CircleCI interface.

  1. Run the following script:

    npm run secrets:rotate-circleci

  2. The script outputs new keys to copy and paste into the CircleCI web interface.

Environment Users

All Environments

Every environment will have a USTC_ADMIN_USER and USTC_ADMIN_PASS associated with it that is used to create users and perform admin-level operations. These passwords are stored in AWS Secrets Manager.

The following script rotates these secrets:

CI=false npm run secrets:rotate-environment

This updates the password in Cognito for the USTC_ADMIN_USER, and then it updates the Secrets value with that new USTC_ADMIN_PASS so that subsequent deploys will make use of the new credentials. For environments with production-like data, it also generates a new DEFAULT_ACCOUNT_PASS and updates that Secrets value as well.

Be sure to run the environment switcher after rotating the secrets to retrieve the new values.

Production

The production environment has a single test user: [email protected], for the execution of load tests. After rotating passwords in production, you'll need to set that user's password in cognito:

aws cognito-idp admin-set-user-password \
  --user-pool-id "$COGNITO_USER_POOL" \
  --username [email protected] \
  --password "$DEFAULT_ACCOUNT_PASS" \
  --permanent

Development Environment with Production-like Data

In development environments with production-like data, after running the rotation script above you will need to run the setup-test-users.ts script to update the test users, and the setup-glued-judges.ts script to update the judge users.

DEPLOYING_COLOR="$CURRENT_COLOR" DESTINATION_TABLE="$SOURCE_TABLE" ./scripts/user/setup-test-users.ts 
DEPLOYING_COLOR="$CURRENT_COLOR" DESTINATION_TABLE="$SOURCE_TABLE" ./scripts/user/setup-glued-judges.ts