1496783 - access to create secrets for Thunderbird builds

Status: RESOLVED FIXED

(Taskcluster :: Operations and Service Requests, task)

Description

[Rob Lemley [:rjl]]

I'm the new build engineer for Thunderbird, and I've been asked to set up new secrets in Taskcluster for our "upload-symbols" task. (bug 1461560)

I don't have the necessary access to create new secrets where they need to go however. 

The secrets need to be at:
secrets:get:project/comm/thunderbird/releng/build/level-1/gecko-symbol-upload
secrets:get:project/comm/thunderbird/releng/build/level-3/gecko-symbol-upload

And these are the secrets scopes that I have access to:
secrets:get:garbage/*
secrets:get:project/comm/thunderbird/releng/build/level-1/*
secrets:get:project/releng/comm/build/level-1/*
secrets:get:project/releng/gecko/build/level-1/*
secrets:get:project/taskcluster/gecko/hgfingerprint
secrets:set:garbage/*

Tom Prince previously managed these secrets and can vouch for me.

Thanks!

Comment 1

[Tom Prince [:tomprince]]

I've attached a patch which creates the role `project:releng:ci-group:thunderbird-releng`. :rjl will need  to be granted that role. My initial thought was to create mozillians groups corresponding to that role, but it appears that only staff/NDA'd mozillians can be added to mozillian access groups. I think the easiest is to just add that directly to :rjl's clientID.

:rjl What is your client id from https://tools.taskcluster.net/credentials

Comment 2

[Tom Prince [:tomprince]]

Attachment: Bug 1496783: Add a group for managing thunderbird secrets; r?bstack

Comment 3

[Rob Lemley [:rjl]]

mozilla-auth0/ad|Mozilla-LDAP|thunderbird

Comment 4

[Tom Prince [:tomprince]]

So, we need to add `assume:project:releng:ci-group:thunderbird-releng` to a new role `login-identity:mozilla-auth0/ad|Mozilla-LDAP|thunderbird`.

Comment 5

[Brian Stack [:bstack]]

https://tools.taskcluster.net/auth/roles/login-identity%3Amozilla-auth0%2Fad|Mozilla-LDAP|thunderbird

Comment 6

[Rob Lemley [:rjl]]

Working as expected. Thanks!