Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor: Switching to Service Account JSON Credentials #16540

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

JayanaGunaweera01
Copy link
Contributor

@JayanaGunaweera01 JayanaGunaweera01 commented Aug 28, 2023

Description:

This pull request introduces a pivotal enhancement to the GitHub environment's mechanism for downloading GA packs from Google Drive during migration automation

Changes Made:

1.Transition to Service Account JSON Credentials:

The method for accessing Google Drive has been revamped. Instead of using a GCP API key, we now leverage a Service Account to download files. This is a more secure approach to handle file downloads from Google Drive. For this purpose, a dedicated file (creds.json) has been created temporarily to securely store the Service Account JSON credentials. creds.json is deleted immediately after its intended use. This ensures that the credentials cannot be accessed post-operation, safeguarding against potential vulnerabilities.

2.Removal of Old GCP Credentials:

The older method of using the GCP API key, represented by the secrets GCP_CLIENT_ID, GCP_CLIENT_SECRET, and GCP_REFRESH_TOKEN, has been deprecated and removed from the workflow. This change aligns with the shift towards utilizing the Service Account for the file download operations.

…load from Google Drive during migration automation

Description:

This pull request introduces a pivotal enhancement to the GitHub environment's mechanism for downloading GA packs from Google Drive.

Changes Made:

Transition to Service Account JSON Credentials:

The method for accessing Google Drive has been revamped. Instead of using a GCP API key, we now leverage a Service Account to download files. This is a more secure approach to handle file downloads from Google Drive.
For this purpose, a dedicated file (creds.json) has been created to securely store the Service Account JSON credentials. This file is located within the .github/migration-tester/migration-automation directory.
Removal of Old GCP Credentials:

The older method of using the GCP API key, represented by the secrets GCP_CLIENT_ID, GCP_CLIENT_SECRET, and GCP_REFRESH_TOKEN, has been deprecated and removed from the workflow. This change aligns with the shift towards utilizing the Service Account for the file download operations.
made continue-on-error value to true.
@JayanaGunaweera01 JayanaGunaweera01 changed the title Chore:Switching to Service Account JSON Credentials Refactor: Switching to Service Account JSON Credentials Aug 28, 2023
Ensured secure removal of creds.json from .github/workflows.
@@ -54,6 +54,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Save service account JSON credentials to a file
run: echo '${{ secrets.MIGRATION_JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can writing the credentials to a file like this pose any security issues?

Copy link
Contributor Author

@JayanaGunaweera01 JayanaGunaweera01 Sep 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chamathns ,

Thank you for raising this valid concern. In the context of GitHub Actions workflows, files created within the runner environment – be it a temporary VM or container – are ephemeral. Once the workflow concludes, these files are purged, especially since our current procedure does not involve generating artifacts or saving logs from this step.
So it doesn't pose security issues.

Having said that, taking into account best practices and suggestions such as yours, I have transitioned our methodology from file-based storage to leveraging environment variables for credential management. This strategic shift not only streamlines the process but also amplifies security, effectively circumventing the risks associated with file-based credential storage.

For a detailed overview of the changes implemented, I would direct your attention to commits 1b056c8 and 3db1330.

Enhanced security by decoding sensitive JSON credentials directly from the environment variable and generating a JWT token for authentication. This eliminates the need to store credentials in a file.(creds.json)
The removal of the creds.json file was executed because this step has been superseded by the introduction of environment variables when using JSON credentials. This change prevents the storage of JSON credentials within a file, enhancing security.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants