Adding and removing access for new starters / leavers ¶

Apart from Github team membership, access to the following things should only be given after a new developer has met the Requirements for access to production environments.

Many of these steps involve scripts that need to know where you’ve checked out the credentials repository. Either preface each command with DM_CREDENTIALS_REPO=<path-to-checkout>, or export that variable before you start.

For starters and leavers clone the relevant tickets with the checklist in the 2nd line trello board (starters and leavers).

Github ¶

There are two main teams in the crown-commercial-service Github organization:

digitalmarketplace: Gives admin access to most digitalmarketplace repositories. Can be given to developers and other team members who need to view/change code (e.g. content designers).
digitalmarketplace-admin: Gives access to the private digitalmarketplace-credentials repository. Only for developers who’ve met the Requirements for access to production environments.

Admins ¶

Github organization owners can invite people to the organization and manage team membership. You can contact them via the Internal-IT Google Group
Team maintainers can invite organization members to the team

AWS ¶

AWS accounts are currently used for access to encrypted credentials, accessing CloudWatch logs, S3 (the storage backend) and for managing our Jenkins (CI) box.

Available accounts, roles and the how developers should get themselves set up, are described in AWS accounts and access.

Users are managed using our iam-users Terraform module.

To add or remove a user to AWS, start from the digitalmarketplace-aws repo. Note that there is an additional README file relating to working with Terraform.

Edit the terraform/modules/iam-users/users/main.tf file;
In the digitalmarketplace-credentials repo add new users to the correct roles in terraform/accounts/main.tfvars using sops-wrapper
- instructions in digitalmarketplace-credentials
Back in the digitalmarketplace-aws repo, go to terraform/accounts/main and run AWS_PROFILE=main-infrastructure make plan
- make sure the changes Terraform will make are sane and represent only your intended alterations
- if not - are your branches up-to-date with master?
Have PRs approved on the digitalmarketplace-aws and the digitalmarketplace-credentials repo’s.
Again from digitalmarketplace-aws/terraform/accounts/main run make apply.

When adding a user, you should now go to the users list in the IAM service, and give them a temporary password so that they can log in to the AWS Console.

The user must then log in, change their password, and set up their 2FA device - see AWS accounts and access.

Admins ¶

Users with admin access to the main digitalmarketplace account have permissions to run terraform apply to create or remove user accounts and modify access roles. They’re listed in the digitalmarketplace-credentials/terraform/accounts/main.json file under the admins key.

Credentials ¶

Access to the credentials requires access to the repo (either by being a member of the digitalmarketplace-admin Github team or an owner of the crown-commercial-service Github organization) and an AWS account with a developer or an admin role.

Removing AWS user account or permissions disables the ability to decrypt the credentials.

Admins ¶

Github.com and AWS admins.

Jenkins ¶

Add or remove users from the list of Jenkins users in jenkins-vars/jenkins.yaml in the credentials repo.

Then, from a checkout of the latest (main) Jenkins repo, apply the change with:

make keys

This will allow the new user SSH access by adding their Github public key to the jenkins authorized_keys file.

make reconfigure (restarts Jenkins, notify the team and use shutdown mode like when upgrading jenkins

This adds the user as a Jenkins administrator by creating an entry in the config XML for them.

Removing the user from the Jenkins users list also removes their SSH key from the list of authorized keys on the Jenkins instance.

GOV.UK PaaS ¶

Users can be invited to the digitalmarketplace PaaS organisation by an OrgManager,: from the PaaS admin tool. Users can also be removed in this way.

All developers and techops should be added to all spaces as space developers.

Admins ¶

PaaS users with OrgManager role for the digitalmarketplace organisation.

GOV.UK Notify ¶

Users should sign up for their own account with their work email address. Users can then be invited to the “Digital Marketplace” service team members.

Admins ¶

GOV.UK Notify “Digital Marketplace” service team members with “Modify this service and its team” permissions.

Mailchimp ¶

Users with credentials access use the shared owner account to access Mailchimp (see pass/mailchimp.com/digitalmarketplace in the credentials repo).

If a user without credentials access needs Mailchimp access, send them an invitation from the shared owner account (or another admin account).

Admins ¶

Admins users in the Mailchimp account.

Logit ¶

You can log in to Logit using Google SAML from the Google Apps menu. Send an email to the Internal-IT Google Group to ask for access.

Admins ¶

TechOps.

API tokens and other shared credentials ¶

Once access to AWS, credentials and Jenkins are removed shared credentials in credentials repository can be recycled. Main things that need to be renewed:

Production tokens for API and search API (require Infrastructure update and re-releasing all apps). Follow the instructions for Rotating API keys.
Any Digital Marketplace production admin accounts that the user had access to should be either disabled or have their passwords changed (see below)
Passwords for user accounts used in the smoke and smoulder tests (use the Rotate functional test account passwords Jenkins job)
Shared logins for other tools such as npmjs.com, found in the digitalmarketplace-credentials/pass folder.

Snyk ¶

We use Snyk to monitor vulnerabilities in our dependencies, via email alerts and pre-merge checks of any new dependencies brought in via a pull request. See Vulnerability scanning for details.

Developers can be invited to/removed from Snyk via the ‘Members’ tab of the Digital Marketplace organisation settings. The developer can then log in using their Google account, and select the ‘Digital Marketplace’ organisation from the top drop down box to view the status for each app.

Digital Marketplace administrators ¶

Accounts to access the Digital Marketplace admin app can be managed by logging in to the Digital Marketplace with an account with the “admin-manager” role.

Our production “admin-manager” user credentials are stored in digitalmarketplace-credentials/pass folder. This account can be used to invite new admin users and deactivate or change the permissions for existing admin users.

Leavers ¶

We have a template Trello ticket to help with removing leavers.

As well as using the trello ticket to remove individual accounts from all of the above services, make sure there’s a Cabinet Office Service Desk leavers ticket.