Regenerate credentials for NASA SMCE accounts#
This document describes how we regenerate credentials for users and the deployer when they expire in NASA SMCE accounts.
Regenerate credentials for the deployer#
Set the cluster name as an environment variable
export CLUSTER_NAME=...
Authenticate yourself using the
deployer exec aws shellcommand. See Access individual AWS accounts and the--helpinformation for more details.Navigate to the AWS terraform folder in the infrastructure repo.
cd terraform/aws
Initialise terraform.
terraform initSelect the correct workspace, either by using the terraform command or setting another environment variable.
# Using terraform command terraform workspace select $CLUSTER_NAME # Using an environment variable export TF_WORKSPACE=$CLUSTER_NAME
Replace the previous deployer credentials with new ones.
terraform apply -replace=aws_iam_access_key.continuous_deployer -var-file=projects/$CLUSTER_NAME.tfvars
Export the new credentials to a file and then encrypt them in-place with
sops.terraform output -raw continuous_deployer_creds > ../../config/clusters/$CLUSTER_NAME/enc-deployer-credentials.secret.json sops -i -e ../../config/clusters/$CLUSTER_NAME/enc-deployer-credentials.secret.json
git addthe modified files and then commit them.git commit -m "nasa smce clusters: re-generate deployer credentials"
You can then open a Pull Request and merge it.
Regenerate a password for a user in a NASA SMCE account#
The AWS accounts associated with NASA’s Science Managed Cloud Environment have a 60 day password expiry policy. If someone on the team misses this deadline, we can actually reset passwords for each other!
Someone in the team with access logs into the AWS console of the appropriate project
Follow AWS’s user guide on resetting passwords for whoever’s 60 day window has elpased
In addition, a
AccountDisabledIAM Group will be automatically added to the user whenever their credentials expire, and this will show up as a “cannot change password” error when the user logs in next. So the user should also be removed from this group. You can do so from under the “Groups” tab in the AWS console when looking at the details of this user.