Lambda function for dynamic STS credentials in Concourse (using assumed roles)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd
mocks
terraform
.gitignore
.travis.yml
CODEOWNERS
LICENSE
Makefile
README.md
go.mod
go.sum
handler.go
handler_test.go
manager.go
models.go
models_test.go

README.md

concourse-sts-lambda

Build Status

Lambda function to rotate AWS credentials used by Concourse teams. See the terraform subdirectory for an example that should work (with minimal effort).

Why?

Our CI/CD (in our case Concourse) needs AWS credentials to deploy Terraform templates. Since we are sharing workers between teams, the instance profile itself has no privileges. And so, we need to pass in credentials to the tasks which require them.

Instead of having individual teams being responsible for their CI credentials, we can use this Lambda function to write temporary credentials to a specific teams Concourse secrets, for one or more accounts.

How?

In short:

  1. This Lambda function is deployed to the same account as our Concourse.
  2. Individual accounts add a CI role with the Lambda functions execution role as a trusted entity.
  3. A team adds a CloudWatch event rule with the configuration for which accounts they need access to.
  4. Lambda assumes the roles specified in the configuration and rotates the temporary AWS credentials for said team on a 50min schedule.
  5. ???
  6. Profit.

Usage

Be in the root directory:

make release

You should now have a zipped Lambda function. Next, edit terraform/example.tf to your liking. When done, be in the terraform directory:

terraform init
terraform apply

NOTE: The aws/secretsmanager KMS Key Alias has to be created/exist before the lambda is deployed.

Team configuration

Example configuration for a Team (which is then passed as input in the CloudWatch event rule):

{
  "name": "example-team",
  "accounts": [{
    "name": "divx-lab",
    "roleArn": "arn:aws:iam::123456789999:role/machine-user-example"
  }]
}

When the function is triggered with this input it will assume the roleArn, and write the credentials to (by default):

  • /concourse/example-team/divx-lab-access-key
  • /concourse/example-team/divx-lab-secret-key
  • /concourse/example-team/divx-lab-session-token

Note that you can have multiple accounts, in which case the account name must be unique to avoid overwriting the secrets in Secrets manager.