Rotating Secrets - ustaxcourt/ef-cms GitHub Wiki

In order to maintain the security of deployed DAWSON environments, we are enforcing a credential rotation every quarter.

All Environments

These steps should be performed in every deployed DAWSON environment.

Account Level Users

CircleCI User

The CircleCI user is an IAM user that needs to be rotated in all DAWSON AWS Accounts. To help simplify this process, we have made a script that deletes old access keys and outputs new keys to enter into the CircleCI interface. Run the following steps in every DAWSON AWS environment:

  1. Run the following script:

    npm run secrets:rotate-circleci

  2. The script outputs new keys to copy and paste into the CircleCI web interface.

Environment Users

Every environment will have a USTC_ADMIN_USER and USTC_ADMIN_PASS associated with it that is used to create users and perform admin-level operations. These passwords are stored in AWS Secrets Manager.

The following script rotates these secrets:

CI=false npm run secrets:rotate-environment

This updates the password in Cognito for the USTC_ADMIN_USER, and then it updates the Secrets value with that new USTC_ADMIN_PASS so that subsequent deploys will make use of the new credentials. For environments with production-like data, it also generates a new DEFAULT_ACCOUNT_PASS and updates that Secrets value as well.

Be sure to run the environment switcher again after rotating the secrets to retrieve the new values.

Additional Steps for Prod and Prod-Like Environments

Production

The production environment has a single test user: [email protected], for the execution of load tests. After rotating passwords in production, you'll need to set that user's password in cognito:

aws cognito-idp admin-set-user-password \
  --user-pool-id "$COGNITO_USER_POOL" \
  --username [email protected] \
  --password "$DEFAULT_ACCOUNT_PASS" \
  --permanent

Development Environment with Production-like Data

In development environments with production-like data, after running the rotation script above you will need to run the reset-passwords.ts script to update users' passwords.

./scripts/user/reset-passwords.ts