HansMarcus01 opened a new pull request, #38992: URL: https://github.com/apache/beam/pull/38992
This Pull Request introduces the core detection logic to identify rogue service account keys in the apache-beam-testing infrastructure. Currently, it is difficult to determine if a service account key was created manually outside the automated rotation system. To solve this, I have modify a compliance checker script (account_keys.py) that performs the following actions: - State Generation (--action generate): Connects to the GCP IAM API and Secret Manager to document the current live service accounts and managed secrets, updating the local state file (keys.yaml). - Compliance Detection (--action check): Uses set logic to compare the physical keys existing in IAM against the legal, managed keys registered in Secret Manager. - Security Alerting: Successfully identifies any rogue key created outside the system. This establishes the foundation for the next phase, which will involve consolidating these alerts into a single actionable GitHub issue to prevent alert fatigue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
