Use OIDC to securely connect CircleCI to AWS #5589
Conversation
eternaltyro
added
type: enhancement
eternaltyro
requested review from
dakotabenjamin,
ramyaragupathy,
HelNershingThapa and
Aadesh-Baral
There was a problem hiding this comment.
I went through the PR, and I have a few questions.
- What is frontend-modern job used for?
- In frontend and backend deploy jobs, what function does the frontend-modern job play?
- I saw that frontend-modern was using a cimg/node:lts image, and I believe that the TM frontend build is not successful in node >=18.
|
Thanks for the review, @Aadesh-Baral
It's an experimental job I used to play around with different settings. I will remove it in a subsequent commit. But for now it stays because I can work with CircleCI without clobbering on others' work.
Doesn't play any role. It's an independent workflow.
This is a discussion for later. But we need to get TM frontend to work with LTS releases as we move forward. I can switch the version to |
- Legacy webhooks for sending notifications from CircleCI have been deprecated - Orbs or Webhooks v2 are the recommended(?) way to go for sending notifications about CircleCI jobs /workflows to Opsgenie - Removed the legacy notification lines from CircleCI config.yml - Added OpsGenie orb (v1.0.8 last updated 2019) - Added OPSGENIE_WEBHOOK envvar to org-global context and added context to workflows - Added post-steps in workflows to send notifications to OpsGenie [SECURITY] - Enabled execution of uncertified orbs in CircleCI org settings
AfiMaameDufie
force-pushed
the
enhance/circleci-oidc
branch
from
47e29e9
to
6f3bf19
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
|
Related to #5539 |
|
@eternaltyro is this still relevant to review? |
|
@dakotabenjamin yes, please. I will resolve the conflicts, but for now, can you review for any pitfalls and things like that? |
|
@dakotabenjamin I have resolved the conflicts. Please review once. If all is good, I'll merge this and then move on to improving the syntax further. |
@dakotabenjamin Those different tests don't save anything to cache. I don't think there will be a significant increase in project storage usage through saved caches. Re: Runtime - it actually reduces the runtime because the tests are parallelised. There is no change in overall runtime since the build flows are dependent on the test flows and it is all sequential. I have ideas to shorten that too. I will increase the OIDC key lifetime to 45min in the interim. Do you think this PR is good to be merged? |
|
Kudos, SonarCloud Quality Gate passed!
|
This PR introduces OpenID Connect for CircleCI to access AWS. Only jobs running inside a context can fetch AWS credentials. AWS provides temporary (30 min) access tokens for CircleCI to use for running AWS API ops.
Note:
Benefits:
This obsoletes the need to specify an AWS key pair - risking them to exposure. This is a security measure primarily and to an extent a convenience measure to ease-up improvements to CircleCI config later.