about summary refs log tree commit diff
path: root/corp/ops/creds.fish
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2023-04-21T16·13+0300
committertazjin <tazjin@tvl.su>2023-04-24T10·56+0000
commit111e1d38e5ac177bcf4defe70aee1e853206bc6d (patch)
tree0670c6f3067a319859cd3d48b07d012e3ee11402 /corp/ops/creds.fish
parent0637ab3add4f57359842a451ca9ffd70194524e2 (diff)
feat(corp/ops): configure state bucket for terraform r/6109
This was a bit trickier than I anticipated, because there's no good
ways to avoid passing the credentials around manually.

What's basically happening now is that the credentials for the state
bucket are checked in (encrypted), and sourcing `creds.fish` uses the
cloud HSM to decrypt and load them into the environment.

Change-Id: I3f5ce1c9bd9d5efbf1013414f94771a09ea3a488
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8494
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
Diffstat (limited to 'corp/ops/creds.fish')
-rw-r--r--corp/ops/creds.fish5
1 files changed, 5 insertions, 0 deletions
diff --git a/corp/ops/creds.fish b/corp/ops/creds.fish
new file mode 100644
index 000000000000..2985b2880864
--- /dev/null
+++ b/corp/ops/creds.fish
@@ -0,0 +1,5 @@
+export YC_TOKEN=(yc iam create-token)
+export YC_CLOUD_ID=(yc config get cloud-id)
+export YC_FOLDER_ID=(yc config get folder-id)
+export AWS_ACCESS_KEY_ID="YCAJE6eRLY8Az-9kveNRtz4sh"
+export AWS_SECRET_ACCESS_KEY=(yc kms symmetric-crypto decrypt --name tvl-credentials --cloud-id b1ggu5m1btue982app12 --folder-name default --ciphertext-file encrypted-state-secret.key --plaintext-file /dev/stdout | head -n1)