diff options
| author | bors <bors@rust-lang.org> | 2019-09-20 02:43:06 +0000 |
|---|---|---|
| committer | bors <bors@rust-lang.org> | 2019-09-20 02:43:06 +0000 |
| commit | ea3ba36f3f4b7f0168a27d23c499efeb2304e2d5 (patch) | |
| tree | 440bea697ebde0458391c1246907076b34f7e10e /src | |
| parent | 53b352edb6f441bc3cf5386806fcc4686f275130 (diff) | |
| parent | 5384a199c70de3d93558b42ba8ed742cf03da5f4 (diff) | |
| download | rust-ea3ba36f3f4b7f0168a27d23c499efeb2304e2d5.tar.gz rust-ea3ba36f3f4b7f0168a27d23c499efeb2304e2d5.zip | |
Auto merge of #64576 - pietroalbini:split-aws-tokens, r=alexcrichton
ci: split aws credentials in two separate users with scoped perms This commit changes our CI to use two separate IAM users to authenticate with AWS: * `ci--rust-lang--rust--sccache`: has access to the `rust-lang-ci-sccache2` S3 bucket and its credentials are available during the whole build. * `ci--rust-lang--rust--upload`: has access to the `rust-lang-ci2` S3 bucket and its credentials are available just during the upload step. The new tokens are available in the `prod-credentials` library. r? @alexcrichton
Diffstat (limited to 'src')
| -rw-r--r-- | src/ci/azure-pipelines/auto.yml | 2 | ||||
| -rw-r--r-- | src/ci/azure-pipelines/master.yml | 2 | ||||
| -rw-r--r-- | src/ci/azure-pipelines/steps/run.yml | 11 | ||||
| -rw-r--r-- | src/ci/azure-pipelines/try.yml | 2 |
4 files changed, 10 insertions, 7 deletions
diff --git a/src/ci/azure-pipelines/auto.yml b/src/ci/azure-pipelines/auto.yml index 1656066eb29..5f776129709 100644 --- a/src/ci/azure-pipelines/auto.yml +++ b/src/ci/azure-pipelines/auto.yml @@ -7,7 +7,7 @@ trigger: - auto variables: -- group: real-prod-credentials +- group: prod-credentials jobs: - job: Linux diff --git a/src/ci/azure-pipelines/master.yml b/src/ci/azure-pipelines/master.yml index 9742c719658..e2baa923d99 100644 --- a/src/ci/azure-pipelines/master.yml +++ b/src/ci/azure-pipelines/master.yml @@ -7,7 +7,7 @@ trigger: - master variables: -- group: real-prod-credentials +- group: prod-credentials pool: vmImage: ubuntu-16.04 diff --git a/src/ci/azure-pipelines/steps/run.yml b/src/ci/azure-pipelines/steps/run.yml index da0a899ac85..15a2499e460 100644 --- a/src/ci/azure-pipelines/steps/run.yml +++ b/src/ci/azure-pipelines/steps/run.yml @@ -175,7 +175,8 @@ steps: env: CI: true SRC: . - AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) + AWS_ACCESS_KEY_ID: $(SCCACHE_AWS_ACCESS_KEY_ID) + AWS_SECRET_ACCESS_KEY: $(SCCACHE_AWS_SECRET_ACCESS_KEY) TOOLSTATE_REPO_ACCESS_TOKEN: $(TOOLSTATE_REPO_ACCESS_TOKEN) condition: and(succeeded(), not(variables.SKIP_JOB)) displayName: Run build @@ -199,7 +200,8 @@ steps: fi retry aws s3 cp --no-progress --recursive --acl public-read ./$upload_dir s3://$DEPLOY_BUCKET/$deploy_dir/$BUILD_SOURCEVERSION env: - AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) + AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID) + AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY) condition: and(succeeded(), not(variables.SKIP_JOB), or(eq(variables.DEPLOY, '1'), eq(variables.DEPLOY_ALT, '1'))) displayName: Upload artifacts @@ -208,7 +210,8 @@ steps: # errors here ever fail the build since this is just informational. - bash: aws s3 cp --acl public-read cpu-usage.csv s3://$DEPLOY_BUCKET/rustc-builds/$BUILD_SOURCEVERSION/cpu-$CI_JOB_NAME.csv env: - AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) - condition: variables['AWS_SECRET_ACCESS_KEY'] + AWS_ACCESS_KEY_ID: $(UPLOAD_AWS_ACCESS_KEY_ID) + AWS_SECRET_ACCESS_KEY: $(UPLOAD_AWS_SECRET_ACCESS_KEY) + condition: variables['UPLOAD_AWS_SECRET_ACCESS_KEY'] continueOnError: true displayName: Upload CPU usage statistics diff --git a/src/ci/azure-pipelines/try.yml b/src/ci/azure-pipelines/try.yml index 0df6c6c951f..c919b1023a0 100644 --- a/src/ci/azure-pipelines/try.yml +++ b/src/ci/azure-pipelines/try.yml @@ -3,7 +3,7 @@ trigger: - try variables: -- group: real-prod-credentials +- group: prod-credentials jobs: - job: Linux |