Transcript from the "Build a CI Pipeline" Lesson
>> Now, you can imagine a world where putting your administrator access key and secret key and trusting GitHub with it. It's probably not the best, not to say that Git GitHub is not trustworthy. But it's the internet, right? And if you put in that key to be able to do all the command line stuff we're doing from our laptops.
[00:00:24] And something happens because stuff happens, that's not a good look, right? And so what we wanna do is we wanna create a user with a policy that has access to the bare minimum that we would need to build a CICD pipeline, which is predominantly like, cool. You should be able to like put stuff in that bucket.
[00:00:48] And you should be able to issue in validations if that's the like spiritual path that you went down. And like, that's it, right? Even, that's not great if you are. If you get GitHub gets hacked, cuz they could theoretical push that bucket with that. But hopefully like in a big enough hack, you're rushing to a [LAUGH] to get in there and fix it as well.
[00:01:10] And you need to mitigate it, so yeah the other options are yo self host something something Jenkins have fun. But for now, for our cases, this will work. So let's go ahead and go through the part where we are going to create a policy. So let's go back into I am in this case.
[00:01:36] Let's see which one I don't need my S3 book anymore. We will use that tab, all right? We will go ahead and we are going to create a brand new policy, which is unique for our C I C D process. So, is there one of the 915 that are existing maybe does this I don't think so.
[00:02:00] But like, I accept the possibility that of 915 of them. Maybe there's one that does something similar. So hit create policy. Okay, so now we get a little visual editor and choose a service. There's lots of them, let's say cloud front. Let's just look at cloud that's the number of things in AWS that start with Cloud.
[00:02:32] So, naming things, it's hard. [LAUGH] CloudFront, it does two things that were basically set up cache invalidation on something that's named with the cloud. Naming things and cache invalidation are two of the hardest problems in computer science and off by one errors. Okay, so we don't want to give it all Cloudfront actions, all right?
[00:02:52] We just want to give it the ability for creating invalidations. All right, and then which one? Let's see, that is the CloudFront in the distribution ID. I need to go back and get this is not one of the ones that is going to manually fill it in for you or give you the drop down like it didn't have 53 or a few other places so we get to go back.
[00:03:24] Now we want remember before I was like for the o ai, you didn't want this one that starts with me. You want the other one to start with a capital E. Now you want this one that starts with a capital E. Okay, so now we'll go back in here and we'll paste that in.
[00:03:40] So this is kind of familiar. It's like this is, we're saying, Amazon resource number for AWS cloud front. This is our account number that we made in the very beginning, yours is obviously different than mine. We made in the very beginning of the workshop for this distribution in which CloudFront distribution.
[00:03:58] So put that one in there as well. And then we want to add additional permissions. And we will choose a service. And this time we want s3, cool And so now what we want to do is for this one we want put object And I believe it needs access to list object as well.
[00:04:35] This bucket rather, so you can see what's in the bucket. You can put stuff in the bucket that's about it. All right, one selected and one selected perfect. That should do the trick. If not, we'll find out when we go to deploy and we'll get told exactly what permission we're forgetting.
[00:04:58] Next the tags so we've got that in place. I don't see the s3 one, which means there's probably one additional button that I missed. So I'm going to go back. There do we need to set the resource? Yeah, this one we have to tell which bucket, so in this case we want superawesome.click.
[00:05:31] I like that it was just gonna let me make a policy. Just missing S3 completely. Instead of at any point, show me an error about the issue. So that's great, superawesome.click. And this one will give it access to everything in the bucket just like when we made it by hand before.
[00:05:51] So one of those is I believe, for the list bucket because it doesn't need to know which things in the bucket. So we'll go ahead and create that policy. One of the questions we got earlier you can see this one's got caught from s3 It was, if you blow past the 1000 free invalidations, how much did they cost beyond that?
[00:06:10] It is half a penny per invalidation. We looked it up during the break, I said, you get 1000 out. To be fair, the 1000 invalidations is spread across all of the CloudFront distributions in that account, right? So like that is not 1000 just a distribution, it is 1000 across all of them.
[00:06:32] And like I had that conversation like well what if we deploy more than 1000 times a month? I'm like I would love that problem, right? Personally, but yeah, it is relatively cheap beyond that, but that might, if there's some other reason why you might be casting validations above and beyond just deploy on a deploy.
[00:06:51] Then some of the other playing with the time to live might be the right choice in this case, okay? So we'll give this name, we need to give the policy a name and we'll say like, Build process, I don't know. I don't love that name, but how about deploy static assets?
[00:07:17] I like that name better. You can give a description, you don't necessarily have to. And we'll create that policy. All right, so now we have this new customer managed one this is different than all the AWS ones. Now that's just a policy that is a set of permissions that we can apply to different users.
[00:07:41] Remember when we made our administrator before we manually applied a set of permissions? Now we have our own cert which is deploy static assets that we can put on to any user that we create. So we need to do Is we need to create another user different from our administrator whose sole job is that can deploy to this one bucket, and cast invalidations on one distribution.
[00:08:10] Right, yeah, still not ideal. We lose control of that user. Also, when we put it in GitHub, we will encrypt all those things. But yeah, like still a risk, but the blast area is a lot smaller in this case. So go to Users and this should be somewhat familiar.
[00:08:30] Gonna add a user. This one I'll call build process. So this one's gonna be a little bit different than the administrator because we knew what the administrator we wanted to log in, right? And like play around in the console. Our CI CD pipeline should not be able to log in and click buttons.
[00:08:56] It should only have an API key, okay? So we will keep access key programmatic access turned on even then we know has very limited amount or will have very limited amount of that access. And then it gets no password, right it should not be able to log into the console at all.
[00:09:18] So now instead of. Actually we want to click this one right here, and then we want to instead of picking one of the AWS ones, We have our deploy static assets policy. So now we can apply it that one as well. So now we have created a user that can only do one thing.
[00:09:49] We're not gonna use tags in this case and deploy static assets. Right, this is again that very arduous screen. If you mess this up and you just click away from, it you will have to regenerate the key, which you can do on the on the overall users as the administrator.
[00:10:07] So either go show yourself that secret SSH access key, and copy it somewhere the time being or in my case. I'm going to download the CSV and hope that I don't confuse it with the other one that I downloaded earlier. And then, once you close this page, there is no way to see that key again, unless you go ahead and regenerate that.
[00:10:35] Cool. All right, so let's see we have a user that can now from GitHub deploy, the next step is we need to set that up.