Skip to content
This repository was archived by the owner on Jun 10, 2024. It is now read-only.

Security and Maintenance

Jump to bottom
David An edited this page Jun 2, 2022 · 17 revisions

Service Account Key Rotation

Every three months, for security purposes, we must rotate the keys for the deployer and import-service service accounts.

  • the deployer SA is used by Jenkins during a release to deploy Import Service to App Engine.
  • the import-service SA is used to run Import Service inside FiaBs. TODO: does prod actually need a key??

The steps below describe the process for rotating keys:

Create new key in Google Cloud Console

  • Having logged in with your @firecloud.org account, go to Google Cloud Console's IAM & Admin > Service Accounts page for project terra-importservice-prod.
  • Click on the service account (deployer or import-service) in question.
  • Click on the 'KEYS' tab.
  • Click on the ADD KEY button.
  • Select Create new key.
  • Make sure JSON is selected as key type, and click on CREATE.
  • Make sure the .json file was downloaded onto your computer.

Update Vault with the new key

  • TODO: should we back up the existing Vault entry prior to overwriting it, so we don't lose the old key?
  • Add the new .json key file (that you just downloaded) to Vault (e.g. vault write secret/dsde/firecloud/prod/import-service/<sa-name>.json @/Users/<your username>/Downloads/<new sa file name>.json).
    • deployer: vault write secret/dsde/firecloud/prod/import-service/deployer.json @~/Downloads/deployer.json
    • import-service: vault write secret/dsde/firecloud/prod/import-service/import-service-account.json @~/Downloads/import-service.json

Smoke test

  • To verify the new deployer key, manually trigger a deployment of Import Service to production by running the import-service-manual-deploy job in prod Jenkins. If the deployment succeeds, the deployer key rotation worked.
  • To verify the new import-service key … TODO

Disable the old deployment key

  • Now you can disable the old key(s). It's not possible to disable a SA key on the GCP console. You will need to use gcloud on your local system (e.g. Terminal on MacOS). After making sure you're authenticated with your @firecloud.org account on your local system, run gcloud iam service-accounts keys disable <service_account_key_name> --iam-account=<sa_name> --project terra-importservice-prod. Substitute into that command, the key obtained from Key column on the GCP console page listing keys for the target service account. More details on disabling service account keys can be found here. Verify on the GCP console page that the key's Status is now Disabled (as opposed to Active).
  • To be sure, rerun the prod deploy job and verify that everything still works.
  • Assuming everything is still working, you can now safely delete the old key using the trash can icon in the UI.

Delete local copy of key

  • Now that you are done with the locally-downloaded .json file, and its contents are stored securely in Vault, delete your local .json file. Leaving it on your local computer is a security hazard.

Prepare for the next rotation

  • Set a Slack reminder on #dsp-analysis-journeys channel for the next rotation by typing something like /remind :alert_red_light: Reminder to rotate the service account key for Import Service by following these (https://github.com/broadinstitute/import-service/wiki/Security-and-Maintenance) instructions in 85 days.

Clone this wiki locally