bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Revocation of s3 credentials

RESOLVED FIXED

Status

Testing
General
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: bryce, Assigned: glob)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
I'm retiring several machines the I inherited the care of. These machines contained credentials for the 'platformqa' and 'platformqa-dev' buckets that I think should now be revoked. As I wasn't involved in the setup of these machines, I am uncertain as to if these keys are used by other machines. I have no reason to believe they are, but in the interest in erring on the side of caution, I'd like to make sure they are not being used anywhere else.
I don't think they're used anywhere else. They were set up specifically for jobs running in that Jenkins instance.
(In reply to Bryce Van Dyk (:SingingTree) from Bug 1302427 comment #40)
> :claudijd - The pf-jenkins.qa.mtv2.mozilla.com instance should no longer be
> reachable. More than that all of the hosts detailed here should now be
> terminated:
> https://wiki.mozilla.org/Auto-tools/Projects/Platform_Quality/
> Jenkins_Machine_Inventory.
> 
> I'm also seeking revocation of s3 creds relating to 'platformqa' and
> 'platformqa-dev', in case these credentials were also shared.
(Assignee)

Updated

2 years ago
Assignee: nobody → glob
(Assignee)

Comment 3

2 years ago
do you want me to just revoke the credentials (resulting in the s3 buckets continuing to exist, but effectively read-only), or do you want me to also delete the buckets and their contents?

as determining legitimate usage is tricky (especially if it's been discovered by web indexers) i propose disabling the two users and denying public access to the buckets.  if no one complains after a week we pull the plug.
Flags: needinfo?(bvandyk)
(Reporter)

Comment 4

2 years ago
Disabling and seeing if any issues arise sounds good, let's try that out.
Flags: needinfo?(bvandyk)
(Assignee)

Comment 5

2 years ago
public access to platformqa and platformqa-dev denied (via editing the bucket policy)
platformqa-s3_read-write and platformqa-dev-s3_read-write policies updated.
all updates involved s/Allow/Deny/g
(Assignee)

Comment 6

2 years ago
SingingTree, anyone complained?
Flags: needinfo?(bvandyk)
(Reporter)

Comment 7

2 years ago
Haven't heard any displeasure on my end. None of the remaining tests that I oversee have broken or caught fire after the change. So from my perspective I'm good with a more permanent disabling. Deleting the buckets sounds sensible. They hold test run data to the best of my knowledge, but I don't believe I or anyone else on the media team needs it to be persisted.
Flags: needinfo?(bvandyk)
(Assignee)

Comment 8

2 years ago
platformqa and platformqa-dev users deleted.
platformqa and platformqa-dev s3 buckets and contents deleted.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.