refactor: remove hard-coded AWS credentials, use ECS task IAM role#3070
Open
josephevans wants to merge 4 commits into
Open
refactor: remove hard-coded AWS credentials, use ECS task IAM role#3070josephevans wants to merge 4 commits into
josephevans wants to merge 4 commits into
Conversation
…ECS task role permissions.
…AMEs. This prevents overriding other records that are required for infrastructure.
Member
Author
|
Updated legacy ECS task permissions so this can be merged now. |
Member
|
@josephevans can we wait to update this for a couple of weeks while we get the developers up-to-speed on Docker? (If not we lose the ability to use image uploading locally.) |
josephevans
force-pushed
the
refactor_aws_credentials
branch
from
a91726a to
59181af
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes all hard-coded AWS credentials across the codebase, replacing them with ECS task IAM role permissions. Also improves Route53 DNS record handling to prevent accidental overwrites.
Changes
organization/controllers_fastly.py— use task role for Route53 updatesapis_v1/views/views_extension.py— remove hard-coded credentialsemail_outbound/functions.py— remove hard-coded credentialsimage/models.py— remove hard-coded credentialsretrieve_tables/controllers_master.py— remove hard-coded credentialsAdditional Fixes
Motivation
Hard-coded credentials are a security liability. Using the ECS task role is the AWS-recommended approach — no secrets to rotate, no risk of leakage, and proper least-privilege access.