Refactor: Switching to Service Account JSON Credentials #16540
Conversation
…load from Google Drive during migration automation Description: This pull request introduces a pivotal enhancement to the GitHub environment's mechanism for downloading GA packs from Google Drive. Changes Made: Transition to Service Account JSON Credentials: The method for accessing Google Drive has been revamped. Instead of using a GCP API key, we now leverage a Service Account to download files. This is a more secure approach to handle file downloads from Google Drive. For this purpose, a dedicated file (creds.json) has been created to securely store the Service Account JSON credentials. This file is located within the .github/migration-tester/migration-automation directory. Removal of Old GCP Credentials: The older method of using the GCP API key, represented by the secrets GCP_CLIENT_ID, GCP_CLIENT_SECRET, and GCP_REFRESH_TOKEN, has been deprecated and removed from the workflow. This change aligns with the shift towards utilizing the Service Account for the file download operations.
made continue-on-error value to true.
JayanaGunaweera01
changed the title
Ensured secure removal of creds.json from .github/workflows.
| @@ -54,6 +54,8 @@ jobs: | |||
| steps: | |||
| - name: Checkout code | |||
| uses: actions/checkout@v2 | |||
| - name: Save service account JSON credentials to a file | |||
| run: echo '${{ secrets.MIGRATION_JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json | |||
There was a problem hiding this comment.
can writing the credentials to a file like this pose any security issues?
There was a problem hiding this comment.
Thank you for raising this valid concern. In the context of GitHub Actions workflows, files created within the runner environment – be it a temporary VM or container – are ephemeral. Once the workflow concludes, these files are purged, especially since our current procedure does not involve generating artifacts or saving logs from this step.
So it doesn't pose security issues.
Having said that, taking into account best practices and suggestions such as yours, I have transitioned our methodology from file-based storage to leveraging environment variables for credential management. This strategic shift not only streamlines the process but also amplifies security, effectively circumventing the risks associated with file-based credential storage.
For a detailed overview of the changes implemented, I would direct your attention to commits 1b056c8 and 3db1330.
Enhanced security by decoding sensitive JSON credentials directly from the environment variable and generating a JWT token for authentication. This eliminates the need to store credentials in a file.(creds.json)
The removal of the creds.json file was executed because this step has been superseded by the introduction of environment variables when using JSON credentials. This change prevents the storage of JSON credentials within a file, enhancing security.
Description:
This pull request introduces a pivotal enhancement to the GitHub environment's mechanism for downloading GA packs from Google Drive during migration automation
Changes Made:
1.Transition to Service Account JSON Credentials:
The method for accessing Google Drive has been revamped. Instead of using a GCP API key, we now leverage a Service Account to download files. This is a more secure approach to handle file downloads from Google Drive. For this purpose, a dedicated file (creds.json) has been created temporarily to securely store the Service Account JSON credentials. creds.json is deleted immediately after its intended use. This ensures that the credentials cannot be accessed post-operation, safeguarding against potential vulnerabilities.
2.Removal of Old GCP Credentials:
The older method of using the GCP API key, represented by the secrets GCP_CLIENT_ID, GCP_CLIENT_SECRET, and GCP_REFRESH_TOKEN, has been deprecated and removed from the workflow. This change aligns with the shift towards utilizing the Service Account for the file download operations.