nordic-dev.net/rust
nordic-dev.net/rust
2
0
Fork 0
mirror of https://github.com/rust-lang/rust.git synced 2024-11-23 15:23:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: split aws credentials in two separate users with scoped perms

Browse Source 
This commit changes our CI to use two separate IAM users to
authenticate with AWS:

* ci--rust-lang--rust--sccache: has access to the rust-lang-ci-sccache2
  S3 bucket and its credentials are available during the whole build.
* ci--rust-lang--rust--upload: has access to the rust-lang-ci2 S3 bucket
  and its credentials are available just during the upload step.

The new tokens are available in the `prod-credentials` library.
This commit is contained in:
Pietro Albini 2019-09-18 11:10:46 +02:00
parent 528379121c
commit 5384a199c7
No known key found for this signature in database
GPG Key ID: 3E06ABE80BAAF19C
4 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/ci/azure-pipelines/auto.yml
View File

@ -7,7 +7,7 @@ trigger:
- auto - auto
variables: variables:
- group: real-prod-credentials - group: prod-credentials
jobs: jobs:
- job: Linux - job: Linux

2
src/ci/azure-pipelines/master.yml
View File

@ -7,7 +7,7 @@ trigger:
- master - master
variables: variables:
- group: real-prod-credentials - group: prod-credentials
pool: pool:
vmImage: ubuntu-16.04 vmImage: ubuntu-16.04

11
src/ci/azure-pipelines/steps/run.yml
View File

@ -175,7 +175,8 @@ steps:
env: env:
CI: true CI: true
SRC: . SRC: .
AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) AWS_ACCESS_KEY_ID: $(SCCACHE_AWS_ACCESS_KEY_ID)
AWS_SECRET_ACCESS_KEY: $(SCCACHE_AWS_SECRET_ACCESS_KEY)
TOOLSTATE_REPO_ACCESS_TOKEN: $(TOOLSTATE_REPO_ACCESS_TOKEN) TOOLSTATE_REPO_ACCESS_TOKEN: $(TOOLSTATE_REPO_ACCESS_TOKEN)
condition: and(succeeded(), not(variables.SKIP_JOB)) condition: and(succeeded(), not(variables.SKIP_JOB))
displayName: Run build displayName: Run build
@ -199,7 +200,8 @@ steps:
fi fi
retry aws s3 cp --no-progress --recursive --acl public-read ./$upload_dir s3://$DEPLOY_BUCKET/$deploy_dir/$BUILD_SOURCEVERSION retry aws s3 cp --no-progress --recursive --acl public-read ./$upload_dir s3://$DEPLOY_BUCKET/$deploy_dir/$BUILD_SOURCEVERSION
env: env:
AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID)
AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY)
condition: and(succeeded(), not(variables.SKIP_JOB), or(eq(variables.DEPLOY, '1'), eq(variables.DEPLOY_ALT, '1'))) condition: and(succeeded(), not(variables.SKIP_JOB), or(eq(variables.DEPLOY, '1'), eq(variables.DEPLOY_ALT, '1')))
displayName: Upload artifacts displayName: Upload artifacts
@ -208,7 +210,8 @@ steps:
# errors here ever fail the build since this is just informational. # errors here ever fail the build since this is just informational.
- bash: aws s3 cp --acl public-read cpu-usage.csv s3://$DEPLOY_BUCKET/rustc-builds/$BUILD_SOURCEVERSION/cpu-$CI_JOB_NAME.csv - bash: aws s3 cp --acl public-read cpu-usage.csv s3://$DEPLOY_BUCKET/rustc-builds/$BUILD_SOURCEVERSION/cpu-$CI_JOB_NAME.csv
env: env:
AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID)
condition: variables['AWS_SECRET_ACCESS_KEY'] AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY)
condition: variables['UPLOAD_AWS_SECRET_ACCESS_KEY']
continueOnError: true continueOnError: true
displayName: Upload CPU usage statistics displayName: Upload CPU usage statistics

2
src/ci/azure-pipelines/try.yml
View File

@ -3,7 +3,7 @@ trigger:
- try - try
variables: variables:
- group: real-prod-credentials - group: prod-credentials
jobs: jobs:
- job: Linux - job: Linux