Skip to content

How To Rotate Jenkins IAM Credentials

Jump to bottom
keithdadkins edited this page Sep 28, 2023 · 1 revision

Rotate Jenkins IAM Access Keys

This runbook describes how to rotate the IAM access keys for the Jenkins mgmt service account.

This runbook is intended for use by team members that are both familiar with Terraform, Jenkins, and AWS CLI and have the appropriate permissions to perform the actions described below.

Requirements

  • CMS VPN access
  • AWS CLI
  • Terraform
  • Jenkins admin privileges

Steps

  1. Move to the ops/terraform directory in the beneficiary-fhir-data repository.

  2. Run tfswitch or tfenv to ensure you are using the correct version of Terraform.

  3. Move to the ops/terraform/env/mgmt directory.

  4. Run terraform init to initialize the Terraform state if you have not already done so.

  5. Run terraform plan to ensure the state is clean and there are no changes to be applied. If the state is not clean, you may need to target the related resources (see example in step 7).

  6. Taint the access key resource so a new one will be created when the terraform is applied.

    terraform taint aws_iam_access_key.jenkins_user

  7. Apply the terraform:

    # If the terraform state is clean
terraform apply

# If the terraform state is not clean, target the access key resource:
terraform apply \
 -target="aws_iam_access_key.jenkins_user_key" \
 -target="aws_ssm_parameter.jenkins_user_key_id" \
 -target="aws_ssm_parameter.jenkins_user_key_secret"

  8. Once the terraform has been applied, you will need to manually update the credentials in jenkins. This can be done either via the AWS console or the AWS CLI (cli instructions below):

    1. Open the jenkins credentials page and click 'Update' in the left sidebar.

    2. Update the Access Key ID and Secret Access Key fields with the new values. To copy (one at a time) the values to clipboard, run the following commands (macOS only, others should remove the | pbcopy to print to stdout instead)

      # get the access key id
aws ssm get-parameter --name /bfd/mgmt/common/sensitive/user/bfd-mgmt-jenkins/aws_access_id --with-decryption --query "Parameter.Value" --output text | pbcopy

# get the access key secret
aws ssm get-parameter --name /bfd/mgmt/common/sensitive/user/bfd-mgmt-jenkins/aws_secret_key --with-decryption --query "Parameter.Value" --output text | pbcopy

    3. Click Save when done!

For BFD Contributors and Maintainers
Clone this wiki locally