This is an automated email from the ASF dual-hosted git repository.
marcoabreu pushed a commit to branch rotate-secrets-manager-credentials
in repository https://gitbox.apache.org/repos/asf/incubator-mxnet-ci.git
commit c8f2ed48234d3b21f233d2e95d3a5edf3f440627
Author: Marco de Abreu <marco.g.abreu+git...@gmail.com>
AuthorDate: Thu Aug 15 23:25:17 2019 +0200
Add rotate secrets manager credentials
---
.../rotate-secrets-manager-credentials/.gitignore | 47 +++
tools/rotate-secrets-manager-credentials/README.md | 39 +++
.../deploy_lambda.sh | 36 +++
.../docker_hub_change_password.py | 342 +++++++++++++++++++++
.../environment.yml | 8 +
.../requirements.txt | 1 +
.../serverless.yml | 76 +++++
7 files changed, 549 insertions(+)
diff --git a/tools/rotate-secrets-manager-credentials/.gitignore
b/tools/rotate-secrets-manager-credentials/.gitignore
new file mode 100755
index 0000000..1bb0ffd
--- /dev/null
+++ b/tools/rotate-secrets-manager-credentials/.gitignore
@@ -0,0 +1,47 @@
+*~
+package-lock.json
+package.json
+
+# Logs
+logs
+*.log
+npm-debug.log
+
+# Runtime data
+pids
+*.pid
+*.seed
+dist
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# Grunt intermediate storage
(http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directory
+#
https://www.npmjs.org/doc/misc/npm-faq.html#should-i-check-my-node_modules-folder-into-git
+node_modules
+
+#IDE Stuff
+**/.idea
+
+#OS STUFF
+.DS_Store
+.tmp
+
+#SERVERLESS STUFF
+admin.env
+.env
+_meta
+.serverless
+
diff --git a/tools/rotate-secrets-manager-credentials/README.md
b/tools/rotate-secrets-manager-credentials/README.md
new file mode 100644
index 0000000..52609d7
--- /dev/null
+++ b/tools/rotate-secrets-manager-credentials/README.md
@@ -0,0 +1,39 @@
+<!--- Licensed to the Apache Software Foundation (ASF) under one -->
+<!--- or more contributor license agreements. See the NOTICE file -->
+<!--- distributed with this work for additional information -->
+<!--- regarding copyright ownership. The ASF licenses this file -->
+<!--- to you under the Apache License, Version 2.0 (the -->
+<!--- "License"); you may not use this file except in compliance -->
+<!--- with the License. You may obtain a copy of the License at -->
+
+<!--- http://www.apache.org/licenses/LICENSE-2.0 -->
+
+<!--- Unless required by applicable law or agreed to in writing, -->
+<!--- software distributed under the License is distributed on an -->
+<!--- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -->
+<!--- KIND, either express or implied. See the License for the -->
+<!--- specific language governing permissions and limitations -->
+<!--- under the License. -->
+
+# Lambda function for automatic rotatation of DockerHub credentials in AWS
SecretsManager
+This repository sets up a Lambda function that allows to autoamtically change
a DockerHub password.
+
+## Deployment
+These are the deployment instructions.
+
+### Installation
+You need to have NodeJS (npm) and serverless installed. Additional npm
packages are required and can be installed as follows:
+```npm install serverless-python-requirements```
+```npm install serverless-s3-remover```
+
+### Provisioning
+Run ```deploy_lambda.sh``` and enter the deployment stage
+
+## Usage
+Log into SecretsManager, open the secret of your choice, go to the category
"Rotation configuration", click on "Edit rotation", enable the automatic
rotation, enter an interval of your choice and select the previously
provisioned Lambda function. Then press on "Save"; note that this will trigger
an immediate rotation of the credentials.
+
+If you would like to trigger a manual immediate rotation, click on "Rotate
secret immediately" in the secret detail windows.
+
+## Debugging
+If you'd like to debug this script, go to CloudWatch logs and look for the "
+/aws/lambda/SecretsManager_docker_hub_change_password_function" log group.
\ No newline at end of file
diff --git a/tools/rotate-secrets-manager-credentials/deploy_lambda.sh
b/tools/rotate-secrets-manager-credentials/deploy_lambda.sh
new file mode 100755
index 0000000..269a646
--- /dev/null
+++ b/tools/rotate-secrets-manager-credentials/deploy_lambda.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -e
+
+echo "Deployment stage (test, prod)"
+read config_dir
+
+if [ "$config_dir" == "test" ]; then
+ echo "Deploying to test"
+ export AWS_PROFILE=mxnet-ci-dev
+ sls deploy -s test
+elif [ "$config_dir" == "prod" ]; then
+ echo "Deploying to prod"
+ export AWS_PROFILE=mxnet-ci
+ sls deploy -s prod
+else
+ echo "Unrecognized stage: ${config_dir}"
+fi
+
diff --git
a/tools/rotate-secrets-manager-credentials/docker_hub_change_password.py
b/tools/rotate-secrets-manager-credentials/docker_hub_change_password.py
new file mode 100755
index 0000000..985b0a6
--- /dev/null
+++ b/tools/rotate-secrets-manager-credentials/docker_hub_change_password.py
@@ -0,0 +1,342 @@
+#!/usr/bin/env python3
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# -*- coding: utf-8 -*-
+"""
+Script to update Docker Hub Credentials
+
+
+"""
+
+import requests
+import logging
+import sys
+import time
+import argparse
+import boto3
+import os
+import json
+
+def dockerhub_get_session(secret_dict):
+ """Gets a session to the DockerHub User API from a secret dictionary
+
+ This helper function tries to connect to the DockerHub User API by
grabbing login info
+ from the secret dictionary. If successful, it returns the http session,
else None
+
+ Args:
+ secret_dict (dict): The Secret Dictionary
+
+ Returns:
+ Session: The requests.Session object if successful. None otherwise
+
+ Raises:
+ KeyError: If the secret json does not contain the expected keys
+
+ """
+ # Log in
+ session = requests.Session()
+ logging.info('Logging in with provided credentials...')
+ url = "https://id.docker.com/api/id/v1/user/login";
+ json = {"password": secret_dict['password'], "username":
secret_dict['username']}
+ r = session.post(url, json=json)
+
+ if r.status_code != 200:
+ logging.error("Login Failed. Error: {}".format(r.status_code))
+ return None
+
+ # Get CSRF Token
+ logging.info('Getting CSRF Token...')
+ url = "https://cloud.docker.com/sso/start";
+ r = session.get(url)
+
+ if r.status_code != 200 or not session.cookies['csrftoken']:
+ logging.error('CSRFToken acquisition failed')
+ return None
+
+ logging.info('Successfully logged in to DockerHub')
+
+ return session
+
+def dockerhub_set_password(session, username, old_password, new_password):
+ """Update a DockerHub password
+
+ This method asks the DockerHub API to change the password to the requested
one.
+
+ Args:
+ session (requests.Session): Logged in session
+
+ username (string): DockerHub username
+
+ old_password (string): Current password
+
+ new_password (string): Password to be set
+
+ Raises:
+ Exception: If changing the password failed
+ """
+ # Update Password
+ logging.info('Changing password...')
+ url = 'https://cloud.docker.com/v2/user/change_password/'
+ json = {"username": username, "old_password": old_password,
"new_password": new_password}
+ headers = {'X-CSRFToken': session.cookies['csrftoken']}
+ r = session.put(url, json=json, headers=headers)
+
+ if r.status_code != 204:
+ logging.error('Password update failed')
+ raise Exception('Password update failed: ' + r.status_code)
+
+ logging.info('Password changed successfully!')
+
+
+def create_secret(service_client, arn, token):
+ """Generate a new secret
+
+ This method first checks for the existence of a secret for the passed in
token. If one does not exist, it will generate a
+ new secret and put it with the passed in token.
+
+ Args:
+ service_client (client): The secrets manager service client
+
+ arn (string): The secret ARN or other identifier
+
+ token (string): The ClientRequestToken associated with the secret
version
+
+ Raises:
+ ValueError: If the current secret is not valid JSON
+
+ KeyError: If the secret json does not contain the expected keys
+
+ """
+ # Make sure the current secret exists
+ current_dict = get_secret_dict(service_client, arn, "AWSCURRENT")
+
+ # Now try to get the secret version, if that fails, put a new secret
+ try:
+ get_secret_dict(service_client, arn, "AWSPENDING", token)
+ logging.info("createSecret: Successfully retrieved secret for %s." %
arn)
+ except service_client.exceptions.ResourceNotFoundException:
+ # Generate a random password
+ passwd =
service_client.get_random_password(ExcludeCharacters='/@"\'\\')
+ current_dict['password'] = passwd['RandomPassword']
+
+ # Put the secret
+ service_client.put_secret_value(SecretId=arn,
ClientRequestToken=token, SecretString=json.dumps(current_dict),
VersionStages=['AWSPENDING'])
+ logging.info("createSecret: Successfully put secret for ARN %s and
version %s." % (arn, token))
+
+
+def set_secret(service_client, arn, token):
+ """Set the pending secret in the database
+
+ This method tries to login to the database with the AWSPENDING secret and
returns on success. If that fails, it
+ tries to login with the AWSCURRENT and AWSPREVIOUS secrets. If either one
succeeds, it sets the AWSPENDING password
+ as the user password in the database. Else, it throws a ValueError.
+
+ Args:
+ service_client (client): The secrets manager service client
+
+ arn (string): The secret ARN or other identifier
+
+ token (string): The ClientRequestToken associated with the secret
version
+
+ Raises:
+ ResourceNotFoundException: If the secret with the specified arn and
stage does not exist
+
+ ValueError: If the secret is not valid JSON or valid credentials are
found to login to the database
+
+ KeyError: If the secret json does not contain the expected keys
+
+ """
+ # First try to login with the pending secret, if it succeeds, return
+ pending_dict = get_secret_dict(service_client, arn, "AWSPENDING", token)
+ session = dockerhub_get_session(pending_dict)
+ if session:
+ logging.info("setSecret: AWSPENDING secret is already set as password
in DockerHub for secret arn %s." % arn)
+ return
+
+ # Now try the current password
+ current_dict = get_secret_dict(service_client, arn, "AWSCURRENT")
+ session = dockerhub_get_session(current_dict)
+ if not session:
+ # If both current and pending do not work, try previous
+ try:
+ previous_dict = get_secret_dict(service_client, arn, "AWSPREVIOUS")
+ session = dockerhub_get_session(previous_dict)
+
+ # The current password is actually the previous one, correct that
fact
+ current_dict = previous_dict
+ except service_client.exceptions.ResourceNotFoundException:
+ session = None
+
+ # If we still don't have a session, raise a ValueError
+ if not session:
+ logging.error("setSecret: Unable to log into DockerHub with previous,
current, or pending secret of secret arn %s" % arn)
+ raise ValueError("Unable to log into DockerHub with previous, current,
or pending secret of secret arn %s" % arn)
+
+ # Now set the password to the pending password
+ dockerhub_set_password(session, pending_dict['username'],
current_dict['password'], pending_dict['password'])
+
+
+def test_secret(service_client, arn, token):
+ """Test the pending secret against the DockerHub API
+
+ This method tries to log into the DockerHub API
+
+ Args:
+ service_client (client): The secrets manager service client
+
+ arn (string): The secret ARN or other identifier
+
+ token (string): The ClientRequestToken associated with the secret
version
+
+ Raises:
+ ResourceNotFoundException: If the secret with the specified arn and
stage does not exist
+
+ ValueError: If the secret is not valid JSON or valid credentials are
found to login to the DockerHub API
+
+ KeyError: If the secret json does not contain the expected keys
+
+ """
+ # Try to login with the pending secret, if it succeeds, return
+ session = dockerhub_get_session(get_secret_dict(service_client, arn,
"AWSPENDING", token))
+ if session:
+ # This is where the lambda will validate the user's permissions.
Uncomment/modify the below lines to
+ # tailor these validations to your needs
+ logging.info("testSecret: Successfully signed into DockerHub API with
AWSPENDING secret in %s." % arn)
+ return
+ else:
+ logging.error("testSecret: Unable to log into DockerHub API with
pending secret of secret ARN %s" % arn)
+ raise ValueError("Unable to log into DockerHub API with pending secret
of secret ARN %s" % arn)
+
+
+
+def finish_secret(service_client, arn, token):
+ """Finish the rotation by marking the pending secret as current
+
+ This method finishes the secret rotation by staging the secret staged
AWSPENDING with the AWSCURRENT stage.
+
+ Args:
+ service_client (client): The secrets manager service client
+
+ arn (string): The secret ARN or other identifier
+
+ token (string): The ClientRequestToken associated with the secret
version
+
+ """
+ # First describe the secret to get the current version
+ metadata = service_client.describe_secret(SecretId=arn)
+ current_version = None
+ for version in metadata["VersionIdsToStages"]:
+ if "AWSCURRENT" in metadata["VersionIdsToStages"][version]:
+ if version == token:
+ # The correct version is already marked as current, return
+ logging.info("finishSecret: Version %s already marked as
AWSCURRENT for %s" % (version, arn))
+ return
+ current_version = version
+ break
+
+ # Finalize by staging the secret version current
+ service_client.update_secret_version_stage(SecretId=arn,
VersionStage="AWSCURRENT", MoveToVersionId=token,
RemoveFromVersionId=current_version)
+ logging.info("finishSecret: Successfully set AWSCURRENT stage to version
%s for secret %s." % (version, arn))
+
+
+def get_secret_dict(service_client, arn, stage, token=None):
+ """Gets the secret dictionary corresponding for the secret arn, stage, and
token
+
+ This helper function gets credentials for the arn and stage passed in and
returns the dictionary by parsing the JSON string
+
+ Args:
+ service_client (client): The secrets manager service client
+
+ arn (string): The secret ARN or other identifier
+
+ token (string): The ClientRequestToken associated with the secret
version, or None if no validation is desired
+
+ stage (string): The stage identifying the secret version
+
+ Returns:
+ SecretDictionary: Secret dictionary
+
+ Raises:
+ ResourceNotFoundException: If the secret with the specified arn and
stage does not exist
+
+ ValueError: If the secret is not valid JSON
+
+ """
+ required_fields = ['username', 'password']
+
+ # Only do VersionId validation against the stage if a token is passed in
+ if token:
+ secret = service_client.get_secret_value(SecretId=arn,
VersionId=token, VersionStage=stage)
+ else:
+ secret = service_client.get_secret_value(SecretId=arn,
VersionStage=stage)
+ plaintext = secret['SecretString']
+ secret_dict = json.loads(plaintext)
+
+ # Run validations against the secret
+ for field in required_fields:
+ if field not in secret_dict:
+ raise KeyError("%s key is missing from secret JSON" % field)
+
+ # Parse and return the secret JSON string
+ return secret_dict
+
+def lambda_handler(event, context):
+ """
+ Main lambda handler
+ """
+ logging.basicConfig(level=logging.INFO)
+ logging.getLogger().setLevel(logging.INFO)
+ arn = event['SecretId']
+ token = event['ClientRequestToken']
+ step = event['Step']
+ logging.info('Step: ' + step)
+
+ # Setup the client
+ service_client = boto3.client('secretsmanager',
endpoint_url=os.environ['SECRET_ENDPOINT_URL'])
+
+ # Make sure the version is staged correctly
+ metadata = service_client.describe_secret(SecretId=arn)
+ if "RotationEnabled" in metadata and not metadata['RotationEnabled']:
+ logging.error("Secret %s is not enabled for rotation" % arn)
+ raise ValueError("Secret %s is not enabled for rotation" % arn)
+ versions = metadata['VersionIdsToStages']
+ if token not in versions:
+ logging.error("Secret version %s has no stage for rotation of secret
%s." % (token, arn))
+ raise ValueError("Secret version %s has no stage for rotation of
secret %s." % (token, arn))
+ if "AWSCURRENT" in versions[token]:
+ logging.info("Secret version %s already set as AWSCURRENT for secret
%s." % (token, arn))
+ return
+ elif "AWSPENDING" not in versions[token]:
+ logging.error("Secret version %s not set as AWSPENDING for rotation of
secret %s." % (token, arn))
+ raise ValueError("Secret version %s not set as AWSPENDING for rotation
of secret %s." % (token, arn))
+
+
+ if step == 'createSecret':
+ return create_secret(service_client, arn, token)
+ elif step == 'setSecret':
+ return set_secret(service_client, arn, token)
+ elif step == 'testSecret':
+ return test_secret(service_client, arn, token)
+ elif step == 'finishSecret':
+ return finish_secret(service_client, arn, token)
+
+ raise Exception('Unknown Step: ' + step)
+
+if __name__ == '__main__':
+ sys.exit(main())
diff --git a/tools/rotate-secrets-manager-credentials/environment.yml
b/tools/rotate-secrets-manager-credentials/environment.yml
new file mode 100644
index 0000000..afd59c6
--- /dev/null
+++ b/tools/rotate-secrets-manager-credentials/environment.yml
@@ -0,0 +1,8 @@
+test:
+ SECRET_ENDPOINT_URL: https://secretsmanager.us-west-2.amazonaws.com
+ SECRET_ENDPOINT_REGION: us-west-2
+
+prod:
+ SECRET_ENDPOINT_URL: https://secretsmanager.us-west-2.amazonaws.com
+ SECRET_ENDPOINT_REGION: us-west-2
+
diff --git a/tools/rotate-secrets-manager-credentials/requirements.txt
b/tools/rotate-secrets-manager-credentials/requirements.txt
new file mode 100644
index 0000000..663bd1f
--- /dev/null
+++ b/tools/rotate-secrets-manager-credentials/requirements.txt
@@ -0,0 +1 @@
+requests
\ No newline at end of file
diff --git a/tools/rotate-secrets-manager-credentials/serverless.yml
b/tools/rotate-secrets-manager-credentials/serverless.yml
new file mode 100755
index 0000000..af5d9d2
--- /dev/null
+++ b/tools/rotate-secrets-manager-credentials/serverless.yml
@@ -0,0 +1,76 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# Lambda configuration for daily CI report
+# Please don't forget to verify the email addressed at
+#
https://us-west-2.console.aws.amazon.com/ses/home?region=us-west-2#verified-senders-email
+
+service: RotateSecretsManagerCredentials
+
+custom:
+ pythonRequirements:
+ dockerizePip: true
+
+plugins:
+ - serverless-python-requirements
+ - serverless-s3-remover
+
+
+provider:
+ name: aws
+ runtime: python3.7
+ region: us-west-2
+ timeout: 290
+ stage: ${opt:stage}
+ environment: ${file(environment.yml):${self:provider.stage}}
+ iamRoleStatements:
+ - Effect: "Allow"
+ Action:
+ - "secretsmanager:DescribeSecret"
+ - "secretsmanager:GetSecretValue"
+ - "secretsmanager:PutSecretValue"
+ - "secretsmanager:UpdateSecretVersionStage"
+ - "secretsmanager:RotateSecret"
+
+ # This should actually only point to specific secrets, but we're unable
to pass in a list because env var can only be strings
+ Resource:
+ - "*"
+
+ - Effect: "Allow"
+ Action:
+ - "secretsmanager:GetRandomPassword"
+
+ Resource:
+ - "*"
+
+resources:
+ Resources:
+ #
https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.html#tshoot-lambda-initialconfig-perms
+ LambdaPermission:
+ Type: AWS::Lambda::Permission
+ Properties:
+ FunctionName:
+ Fn::GetAtt: DockerHubChangePasswordLambdaFunction.Arn
+ Action: lambda:InvokeFunction
+ Principal:
+ Fn::Join: ["",["secretsmanager.", { Ref: "AWS::URLSuffix"}]]
+
+functions:
+ DockerHubChangePassword:
+ name: SecretsManager_docker_hub_change_password_function
+ handler: docker_hub_change_password.lambda_handler
+ reservedConcurrency: 1
