fix(infra): scope task-runner Key Vault access to specific secrets#303
Merged
fix(infra): scope task-runner Key Vault access to specific secrets#303
Conversation
Replace vault-wide Key Vault Secrets User role for the job identity with per-secret scoped assignments. The task-runner can now only read github-token and copilot-api-key, not controller-only secrets like gitlab-token and jira-api-token. Closes #297 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
peteroden
force-pushed
the
fix/297-kv-secret-scoping
branch
from
8de556f to
d358354
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replace vault-wide
Key Vault Secrets Userrole for the job (task-runner) identity with per-secret scoped RBAC assignments.Why
The task-runner had access to all Key Vault secrets including controller-only ones (
gitlab-token,jira-api-token). This violates least privilege — the task-runner only needsgithub-tokenorcopilot-api-key.Changes
infra/keyvault.tf: Replace singleazurerm_role_assignment.job_kv(vault-wide) with two per-secret assignments:job_kv_github_token→ scoped to{vault}/secrets/github-tokenjob_kv_copilot_api_key→ scoped to{vault}/secrets/copilot-api-keyDesign decision
Both secrets are granted unconditionally regardless of
copilot_authmode. Only one secret exists in KV at a time, so granting access to a non-existent secret is harmless. This avoids conditional RBAC complexity for zero security benefit.How to test
cd infra && terraform init -backend=false && terraform validategitlab-tokenReview notes
Closes #297