Google Git
Sign in
fuchsia / third_party / rust / e8d2957904cd3680c5eacdc9efcf4ee586074239^! / .
commite8d2957904cd3680c5eacdc9efcf4ee586074239[log] [tgz]
authorPietro Albini <pietro@pietroalbini.org>Wed Sep 18 11:10:46 2019 +0200
committerMark Rousskov <mark.simulacrum@gmail.com>Sat Sep 21 12:27:18 2019 -0400
tree5309cb43869dabd17a1065a6efe074ad47526d0d
parent73c70ca4e237bc30009740a68e7c9451220c904b [diff]
ci: split aws credentials in two separate users with scoped perms

This commit changes our CI to use two separate IAM users to
authenticate with AWS:

* ci--rust-lang--rust--sccache: has access to the rust-lang-ci-sccache2
  S3 bucket and its credentials are available during the whole build.
* ci--rust-lang--rust--upload: has access to the rust-lang-ci2 S3 bucket
  and its credentials are available just during the upload step.

The new tokens are available in the `prod-credentials` library.

diff --git a/src/ci/azure-pipelines/auto.yml b/src/ci/azure-pipelines/auto.yml
index 06fa3bd..0c7c734 100644
--- a/src/ci/azure-pipelines/auto.yml
+++ b/src/ci/azure-pipelines/auto.yml

@@ -7,7 +7,7 @@
   - auto
 
 variables:
-- group: real-prod-credentials
+- group: prod-credentials
 
 jobs:
 - job: Linux

diff --git a/src/ci/azure-pipelines/master.yml b/src/ci/azure-pipelines/master.yml
index 9742c71..e2baa92 100644
--- a/src/ci/azure-pipelines/master.yml
+++ b/src/ci/azure-pipelines/master.yml

@@ -7,7 +7,7 @@
   - master
 
 variables:
-- group: real-prod-credentials
+- group: prod-credentials
 
 pool:
   vmImage: ubuntu-16.04

diff --git a/src/ci/azure-pipelines/steps/run.yml b/src/ci/azure-pipelines/steps/run.yml
index ca32888..a8791b4 100644
--- a/src/ci/azure-pipelines/steps/run.yml
+++ b/src/ci/azure-pipelines/steps/run.yml

@@ -168,7 +168,8 @@
   env:
     CI: true
     SRC: .
-    AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
+    AWS_ACCESS_KEY_ID: $(SCCACHE_AWS_ACCESS_KEY_ID)
+    AWS_SECRET_ACCESS_KEY: $(SCCACHE_AWS_SECRET_ACCESS_KEY)
     TOOLSTATE_REPO_ACCESS_TOKEN: $(TOOLSTATE_REPO_ACCESS_TOKEN)
   condition: and(succeeded(), not(variables.SKIP_JOB))
   displayName: Run build
@@ -192,7 +193,8 @@
     fi
     retry aws s3 cp --no-progress --recursive --acl public-read ./$upload_dir s3://$DEPLOY_BUCKET/$deploy_dir/$BUILD_SOURCEVERSION
   env:
-    AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
+    AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID)
+    AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY)
   condition: and(succeeded(), not(variables.SKIP_JOB), or(eq(variables.DEPLOY, '1'), eq(variables.DEPLOY_ALT, '1')))
   displayName: Upload artifacts
 
@@ -201,7 +203,8 @@
 # errors here ever fail the build since this is just informational.
 - bash: aws s3 cp --acl public-read cpu-usage.csv s3://$DEPLOY_BUCKET/rustc-builds/$BUILD_SOURCEVERSION/cpu-$SYSTEM_JOBNAME.csv
   env:
-    AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
-  condition: variables['AWS_SECRET_ACCESS_KEY']
+    AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID)
+    AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY)
+  condition: variables['UPLOAD_AWS_SECRET_ACCESS_KEY']
   continueOnError: true
   displayName: Upload CPU usage statistics

diff --git a/src/ci/azure-pipelines/try.yml b/src/ci/azure-pipelines/try.yml
index 0df6c6c..c919b10 100644
--- a/src/ci/azure-pipelines/try.yml
+++ b/src/ci/azure-pipelines/try.yml

@@ -3,7 +3,7 @@
 - try
 
 variables:
-- group: real-prod-credentials
+- group: prod-credentials
 
 jobs:
 - job: Linux