1627289 - Request to Enable Single Sign On on AWS Accounts- SRE Accounts (~25)

Status: RESOLVED FIXED

(Infrastructure & Operations :: SRE, task)

Description

[Sarah Chu]

AWS project to standardize accounts and enable Mozilla Single Sign On (SSO)

The instructions can be found here: https://mana.mozilla.org/wiki/display/SECURITY/AWS+Federated+Login+Account+Setup

For the following accounts:
058419420086
095732026120
177680776199
178589013767
222455217982
246013728370
324161760293
329567179436
333683252453
359555865025
412902012385
503205249670
517826968395
558986605633
589768463761
598097830519
633020870034
645554471334
723362035877
921547910285

Update 4/20 - We need to account for these accounts as well:
783633885093 - itsre-apps
903937621340 - mozilla-subhub

Comment 1

[Sarah Chu]

After discussion with Ed and Tristan, SE team will do the following accounts by end of 7/31 (Steps 1-3 from Mana Instructions) and Clean up and close out of accounts will occur by 8/31.

058419420086
095732026120
177680776199
178589013767
222455217982
246013728370
324161760293
329567179436
333683252453
359555865025
412902012385
517826968395
558986605633
589768463761
598097830519
633020870034
723362035877
921547910285
342958218804
369987351092
511311476423
884003976652
644164654150
783633885093
903937621340

Comment 2

[Gene Wood [:gene]]

Account 329567179436

• Cleanup tasks completed
  • Custom Auth0 rules for SAML integration removed
  • Auth0 client/app XA2fOQITX6rGNHy8DI3KuuRdccaKwsM6 AWS Consolidated Billing - Temporary Admin deleted
  • Auth0 client/app koX1ze40wpoUovVV3RA7K79uTlxpbZFp AWS Consolidated Billing - Read Only deleted

Comment 3

[Gene Wood [:gene]]

Hey Ed it looks like the following account has a user in them but they've been marked as "Cleaned Out" "Done" in the spreadsheet. I'll change delete the "Done" from the spreadsheet. Would you work with the teams to get this user removed?

324161760293

• devadmin

Comment 4

[Ed Lim [:limed]]

(In reply to Gene Wood [:gene] from comment #3)

Hey Ed it looks like the following account has a user in them but they've been marked as "Cleaned Out" "Done" in the spreadsheet. I'll change delete the "Done" from the spreadsheet. Would you work with the teams to get this user removed?

324161760293

• devadmin

The user is now deleted

Comment 5

[Gene Wood [:gene]]

Would you tear down the SAML SSO integration in 329567179436 Consolidated Billing

This includes

• deleting the IAM identity providers
• deleting the Auth0 clients (jabba can help)
• deleting the IAM roles that have trust policies that use those identity providers
• deleting the SSO dashboard records
  • https://github.com/mozilla-iam/sso-dashboard-configuration/blob/b49b7d8acf40aeba3ec432a1ec68b73258f31568/apps.yml#L186-L195
  • https://github.com/mozilla-iam/sso-dashboard-configuration/blob/b49b7d8acf40aeba3ec432a1ec68b73258f31568/apps.yml#L946-L955

Comment 6

[Ed Lim [:limed]]

(In reply to Gene Wood [:gene] from comment #5)

Would you tear down the SAML SSO integration in 329567179436 Consolidated Billing

This includes

• deleting the IAM identity providers

Odd, terraform should have done this for me but I think the state was in a messy place so I removed this manually

• deleting the Auth0 clients (jabba can help)

Will reach out to jabba for this

• deleting the IAM roles that have trust policies that use those identity providers

This is also done

• deleting the SSO dashboard records
  • https://github.com/mozilla-iam/sso-dashboard-configuration/blob/b49b7d8acf40aeba3ec432a1ec68b73258f31568/apps.yml#L186-L195
  • https://github.com/mozilla-iam/sso-dashboard-configuration/blob/b49b7d8acf40aeba3ec432a1ec68b73258f31568/apps.yml#L946-L955

I have a PR https://github.com/mozilla-iam/sso-dashboard-configuration/pull/381/files waiting for merge

Comment 7

[Gene Wood [:gene]]

Will reach out to jabba for this

Can you share the ticket that's being tracked in (the removal of the client ids)?

LQYqFky3PtgLBRanO6bQjMTjEgQgTv5L
XA2fOQITX6rGNHy8DI3KuuRdccaKwsM6
koX1ze40wpoUovVV3RA7K79uTlxpbZFp

I have a PR https://github.com/mozilla-iam/sso-dashboard-configuration/pull/381/files waiting for merge

I've merged it

Comment 8

[Ed Lim [:limed]]

Talk(In reply to Gene Wood [:gene] from comment #7)

Will reach out to jabba for this

Can you share the ticket that's being tracked in (the removal of the client ids)?

LQYqFky3PtgLBRanO6bQjMTjEgQgTv5L
XA2fOQITX6rGNHy8DI3KuuRdccaKwsM6
koX1ze40wpoUovVV3RA7K79uTlxpbZFp

Talked to :jabba he said that it was already deleted and there isn't any of those client_id listed on auth0

Comment 9

[Gene Wood [:gene]]

Excellent, thank you.

Ed, can the elim IAM user and arn:aws:iam::329567179436:role/itsre/AdminRole and arn:aws:iam::329567179436:role/itsre/ReadOnlyRole roles be removed from the Consolidated Billing 329567179436 AWS Account?

Comment 10

[Ed Lim [:limed]]

(In reply to Gene Wood [:gene] from comment #9)

Excellent, thank you.

Ed, can the elim IAM user and arn:aws:iam::329567179436:role/itsre/AdminRole and arn:aws:iam::329567179436:role/itsre/ReadOnlyRole roles be removed from the Consolidated Billing 329567179436 AWS Account?

This is done, completed in https://github.com/mozilla-it/moz-consolidated-billing/pull/15 (not sure if you can see that PR since its a private repo)

Comment 11

[Ed Lim [:limed]]

My bad for resolving

Comment 12

[Gene Wood [:gene]]

Here are the IAM users that still need to be deleted

• 095732026120
  • akatsoulas
• 177680776199
  • adelbarrio
  • afrank
  • elim
  • sidler
• 342958218804
  • mbalfanz
• 558986605633
  • bpeiris
  • gfodor
  • jmarinacci
  • jshaughnessy
  • klee
  • larsberg
  • netpro2k
  • plamb
  • rlong
  • rwilson
• 644164654150
  • tdaede
• 783633885093
  • afrank-dev
• 884003976652
  • andrenatal
  • dbryant
  • mrstegeman

Ed, could you delete these users (assuming they've cutover to using SSO)?

Comment 13

[Ed Lim [:limed]]

The following was deleted

 095732026120
    akatsoulas

177680776199
    adelbarrio
    afrank
    elim
    sidler

342958218804
    mbalfanz

644164654150
    tdaede

884003976652
    andrenatal
    dbryant

783633885093
    afrank-dev

558986605633
    gfodor
    larsberg
    plamb
    rwilson
    jmarinacci
    jshaughnessy
    bpeiris

That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this

558986605633
    klee
    netpro2k
    rlong

884003976652
    mrstegeman

For account 558986605633 the account netpro2k looks like a service account and shouldn't be on the list

Comment 14

[Gene Wood [:gene]]

The following was deleted

Excellent, thank you.

For account 558986605633 the account netpro2k looks like a service account and shouldn't be on the list

netpro2k is actually the nick for Dominick D'Aniello. I know I was also confused by it.

That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this

Thank you. When should I check back, 9/9/2020?

Comment 15

[Ed Lim [:limed]]

(In reply to Gene Wood [:gene] from comment #14)

The following was deleted

Excellent, thank you.

For account 558986605633 the account netpro2k looks like a service account and shouldn't be on the list

netpro2k is actually the nick for Dominick D'Aniello. I know I was also confused by it.

I'll chase this one done

That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this

Thank you. When should I check back, 9/9/2020?

Since this is a short week check back mid week 9/16/2020 perhaps?

Comment 16

[Gene Wood [:gene]]

I Slack'd Ed and he said he'd have this done by 9/16/2020

Comment 17

[Gene Wood [:gene]]

That leaves the following users which I am keeping around to make sure their keys are not used in some sort of automation, I'll chase the people down for this

558986605633
    klee
    netpro2k
    rlong

884003976652
    mrstegeman

Ed, you'd asked me to check back 9/16/2020. Are these IAM users now deleted?

Comment 18

[Gene Wood [:gene]]

I met with Ed today

558986605633

Ed will try to delete users by tomorrow. I will meet with him again tomorrow to get an update.

884003976652

I wrote to David Bryant and Mike Stegeman :

Ya, this is the last IAM user and last AWS account we need to custover to SSO so I'd prefer to finish it now instead of in 4 months. I'm also happy to do whatever work is needed to make it happen.

I've created this Mozillians group

https://mozillians.org/en-US/group/project-link-aws-admin/

and sent invites to both of you

Mike, it looks like you have this mozillians account : https://mozillians.org/en-US/u/mstegeman/

though it's bound to your @mozilla.com email address. Can you access it? If not I can get your personal email ( michael@stegeman.me ) added if you like. Let me know if that sounds ok.

David, once you accept that group invite in your email you should be in.

Mike, would you be able to create an IAM user with an API key that's dedicated to CI (and doesn't have admin rights) to be used by the https://github.com/mozilla-iot/addon-list ,https://github.com/mozilla-iot/addon-builder CI integrations? If you'd like I can help set those up or we can zoom and knock it out pretty quickly.

Ed would you create the IAM Role to use the new mozillians group "mozilliansorg_project-link-aws-admin"?

Here's the previous communications

Hi Ed,

I do not have a Mozillians account... How soon are you looking to shut down the local IAM accounts? It seems like I'll only need access through the end of the year, and probably less than that in reality.

The access keys are primarily used by these two repositories, via GitHub CI:

https://github.com/mozilla-iot/addon-list
https://github.com/mozilla-iot/addon-builder

I don't believe there is anything else actively using them, and really, I've been wanting to move away from S3 for those jobs anyway, so automated access would then cease.

-Michael

From: Ed Lim
To: Michael Stegeman
Cc: David Bryant
Subject: Re: Project-link AWS account
Date: Mon, 14 Sep 2020 15:56:29 -0700

Hi Michael,
We're trying to get away from using local IAM accounts as a login, do you have a mozillians account? If not you should try to create one, we can grant access to the AWS account using SSO through mozillians so if you have one you should go ahead and create one.

I noticed that there are access keys on your account that are also used daily, is that for automation purposes that you run daily or something? If so we should convert that to something like a service account that is not associated with your IAM user and will also potentially have a more scoped permission vs just administrator access for now. Do you mind telling me where this CI job is run in github? I would be happy to create a service account for you, thanks

Comment 19

[Ed Lim [:limed]]

Users in 558986605633 account has been deleted so the "mixed-reality" account is considered done

All that remains is 884003976652 and as of comment 18 we are working through the problem to get the last remaining user access

Comment 20

[Gene Wood [:gene]]

I worked with the two users in AWS account 884003976652 last week, got them setup on SSO and had the one AWS IAM user removed.

884003976652 is now done.

Thanks for all the help with this Ed.