buildbot-bridge - update taskcluster client id

RESOLVED FIXED

Status

defect
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: jlund, Assigned: jlund)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

it's current creds are dyying
You should be able to create new clientIds with the prefix "project/releng/".  The pattern is "project/releng/<tool>/<environment>" so something like "project/releng/buildbot-bridge/production".  Once that's set up and the scopes match, you should be able to just swap the credentials out with no impact.  Once the old creds are unused, let me know and I can delete them.
Oh, I actually already created these, so you'll just need to reset the accessToken to get a new one.
per irc
Assignee: nobody → jlund
/me stumbling around...

stumble 1:
13:07:50 <jlund> dustin: re: updating tc token for buildbot-bridge. I just went on to do this. I rotated the dev instance but as I am looking at prod, it seems like these tokens were rotated only 5 days ago.
13:07:55 <jlund> dustin: was that you? https://tools.taskcluster.net/auth/clients/#project%252freleng%252fbuildbot-bridge%252fproduction
13:08:14 <jlund> I would have thought this would break bbb unless we updated puppet and the bbb.ini

stumble 2:
13:27:28 <jlund> how come secrets(buildbot_bridge_dev_taskcluster_client_id) shows something more like a random str id instead of project/releng/buildbot-bridge/dev
13:27:34 <jlund> do we support aliases?
13:28:35 <jlund> or are they different and project/releng/buildbot-bridge/dev was created after but never added to buildbotbridge. and bbb uses some old clientid?


stumble 3:
13:32:14 <jlund> well, tclistener seems to have restarted cleanly (according to logs) and the new tc token is in config.json so they must be the same client id


so if I were to guess, the client id: project/releng/buildbot-bridge/dev and client id in buildbot_bridge_dev_taskcluster_client_id in puppet were not related. but then in part 3 above, it appears like updating buildbot_bridge_dev_taskcluster_access_token via puppet with new rotated keys, didn't break dev bbb. Now I'm confused..
Yep, the old clientIds were "slugids" which are base64 strings.  I had created the new clientIds already (comment 2) with new more readable names.  So you needed to reset the accessToken for that clientId (comment 2).  It sounds like you did that?
thanks.

it turned out I we ran into auth errors on the dev instance after all. This was due to the clientid not being updated

so I've updated the dev instance with the correct clientid along with its respective newly rotated access token. I then restarted the bbb services.

Since it took some time to show cred errors on the dev instance, I'm going to give it a day before updating prod.
(In reply to Dustin J. Mitchell [:dustin] from comment #7)
> https://tools.taskcluster.net/auth/clients/#5Svq_nEQSFCDnNNcPHj2sQ shows a
> recent usage - is it used somewhere else?

I suspect production bbb:

https://tools.taskcluster.net/auth/clients/#project%252freleng%252fbuildbot-bridge%252fproduction  shows 11 days ago.
yeah. I'll update prod now.
bbb prod has been updated and checking back on the logs show that it likely was updated without issue. closing this for now
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.