Add script to sign arbitrary files using the key stored in Secrets Manager #3
Conversation
|
Please add a PR description that describes the motivation and some context |
|
You might want to change the destination of this PR so it won't be against master as long as you haven't committed your changes to master, because at the moment it seems like this has all the doc changes as well (you can change the destination branch from the UI) |
sign.sh
Outdated
| passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])") | ||
|
|
||
| echo "Importing key..." >&2 | ||
| gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])") |
There was a problem hiding this comment.
is this something we need to install or add to awslabs/superchain?
There was a problem hiding this comment.
Both gpg and AWS CLI are already in there.
There was a problem hiding this comment.
okay, cool. I don't have it on my Mac but I guess signing is only done on the build fleet anyway.
|
|
||
|
|
||
| tmpdir=$(mktemp -d) | ||
| trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT |
There was a problem hiding this comment.
+have ?
Oh, macOS... :/
There was a problem hiding this comment.
Yes... Try to keep dep surface to a minimum when writing bash scripts. You don't want to know what's up on Windows...
There was a problem hiding this comment.
Well yeah, but neither do you have gpg on your machine, apparently. This is designed to run inside the Docker, and the Docker has shred.
sign.sh
Outdated
| # Use secrets manager to obtain the key and passphrase into a JSON file | ||
| echo "Retrieving key..." >&2 | ||
| aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt | ||
| passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])") |
There was a problem hiding this comment.
I rather use node for JSON-related tasks (it is JS afterall)
sign.sh
Outdated
|
|
||
| # Use secrets manager to obtain the key and passphrase into a JSON file | ||
| echo "Retrieving key..." >&2 | ||
| aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt |
There was a problem hiding this comment.
I rather we don't specify a region here. I believe the default region is the region where the build task runs, no?
There was a problem hiding this comment.
But the secrets do live in a particular region (I've created them there), which is only incidentally the same one as the one where the build runs.
There was a problem hiding this comment.
Does it make to make a cross-region call if our build fleet is deployed elsewhere or to put the secrets alongside each build fleet? (hypothetical of course).
There was a problem hiding this comment.
Good question. I'll remove the region, with the result that the call will fail if we fail to colocate the build with the secrets. I guess that's preferable to "accidentally" placing them far away.
By the way, I will also add the key provisioning to the CI/CD stack.
|
Dry run? |
packages/docs/package.json
Outdated
| "private": true, | ||
| "version": "0.6.0", | ||
| "description": "AWS CDK Documentation", | ||
| "description": "Generates the documentation for all packages", |
packages/docs/src/concepts.rst
Outdated
| add the construct to the construct tree by specifying the parent construct as the first initializer parameter, | ||
| a unique (to your stack) identifier for the construct as the second parameter, | ||
| and an optional set of properties for the final parameter, | ||
| a unique identifier for the construct as the second parameter, |
There was a problem hiding this comment.
Still seeing doc updates here... something is weird
rix0rrr
changed the title
# This is the 1st commit message: Add Identity Pool construct # This is the commit message #2: Bug fixes # This is the commit message #3: Bug fixes # This is the commit message #4: Formatting # This is the commit message #5: Add construct methods # This is the commit message #6: Remove flat # This is the commit message #7: Fix issues
Added Note 3 -Additional note that certain expected defaults for parameters may be different. **⚠ Note aws#3**: Expected defaults for certain parameters may be different with the hotswap parameter. For example, an ECS service's minimum healthy percentage will currently be set to 0. Please review the source accordingly if this occurs.
…erfaces #3) (#35282) Using the updated interfaces from #35271. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Rico Huijbers <[email protected]> Co-authored-by: Feng He <[email protected]> Co-authored-by: Kazuho Cryer-Shinozuka <[email protected]> Co-authored-by: Chooi Je Qin <[email protected]> Co-authored-by: claypack <[email protected]> Co-authored-by: Hung Tran <[email protected]> Co-authored-by: matoom-nomu <[email protected]>
3 participants
This adds a script that loads a secret PGP key from secrets manager and signs arbitrary artifacts with it, creating detached (FILE.sig) signatures.
Not integrated with the
buildspec.yamlyet. We should do that when we're builder superzips.