Adding and removing access for new starters / leavers

Apart from Github team membership, access to the following things should only be given after Security Clearance has been completed.

Many of these steps involve scripts that need to know where you’ve checked out the credentials repository. Either preface each command with DM_CREDENTIALS_REPO=<path-to-checkout>, or export that variable before you start.

For starters and leavers clone the relevant tickets with the checklist in the 2nd line trello board (starters and leavers).

Github

There are two main teams in the alphagov Github organization:

digitalmarketplace
Gives admin access to most digitalmarketplace repositories. Can be given to new developers before their Security Clearance (SC) has been completed.
digitalmarketplace-admin
Gives access to the private digitalmarketplace-credentials repository - SC only.

Admins

  • Github organization owners can invite people to the organization and manage team membership
  • Team maintainers can invite organization owners to the team
  • To request alphagov organization owner role you could send an email to gds-github-owners@ Google group.

AWS

AWS accounts are currently used for access to encrypted credentials, accessing CloudWatch logs, S3 (the storage backend) and for managing our Jenkins (CI) box.

Available accounts, roles and the how developers should get themselves set up, are described in AWS accounts and access.

Users are managed using our iam-users Terraform module.

To add or remove a user to AWS, start from the digitalmarketplace-aws repo. Note that there is an additional README file relating to working with Terraform.

When adding a user, you should now go to the users list in the IAM service, and give them a temporary password so that they can log in to the AWS Console.

Admins

Users with admin access to the main digitalmarketplace account have permissions to run terraform apply to create or remove user accounts and modify access roles. They’re listed in the digitalmarketplace-credentials/terraform/accounts/main.json file under the admins key.

Credentials

Access to the credentials requires access to the repo (either by being a member of the digitalmarketplace-admin Github team or an owner of the alphagov Github organization) and an AWS account with a developer or an admin role.

Removing AWS user account or permissions disables the ability to decrypt the credentials.

Admins

Github.com and AWS admins.

Docker Hub

Users should sign up for their own account with their work email address. Users can then be invited to the “digitalmarketplace” organisation.

Jenkins

Add or remove users from the list of Jenkins users in jenkins-vars/jenkins.yaml in the credentials repo.

Then, from a checkout of the latest (master) Jenkins repo, apply the change with:

  • make jenkins TAGS=keys
  • make jenkins TAGS=config (restarts Jenkins, notify the team and use shutdown mode like when upgrading Jenkins)
  • This adds the user as a Jenkins administrator by creating an entry in the config XML for them.

Removing the user from the Jenkins users list also removes their SSH key from the list of authorized keys on the Jenkins instance.

GOV.UK PaaS

Users can be invited to the digitalmarketplace PaaS organisation by an OrgManager,
from the PaaS admin tool. Users can also be removed in the admin.

All security-cleared developers should be added to the preview and monitoring spaces; we add and remove developers from the staging and production spaces as required (e.g. when transitioning on or off 2nd-line support).

They can be added/removed from a role as follows:

cf set-space-role <user-email> digitalmarketplace <space> SpaceDeveloper
cf unset-space-role <user-email> digitalmarketplace <space> SpaceDeveloper

Admins

PaaS users with OrgManager role for the digitalmarketplace organisation.

GOV.UK Notify

Users should sign up for their own account with their work email address. Users can then be invited to the “Digital Marketplace” service team members.

Admins

GOV.UK Notify “Digital Marketplace” service team members with “Modify this service and its team” permissions.

Mailchimp

Users should sign up for their own account with their work email address. Users can be invited to the “Government Digital Service” Mailchimp account. Users will need to set up two-factor authentication to access Mailchimp.

There is a shared developer Mailchimp account for the creation of API keys (see logins.enc in the credentials repo).

Admins

Admins users in the Mailchimp account.

If a developer is leaving the team and has a Mailchimp API key linked to their account, ensure a replacement API key has been created using the DM developer account (and is stored in the credentials repo) before removing the user, as any API keys linked to that user’s account will be removed as well.

Logit

You can log in to Logit using Google SAML from the Google Apps menu. “Digital Marketplace” team on the GDS Logit account is used to manage access to our preview, staging and production stacks.

Admins

Logit users with the Administrator role.

API tokens and other shared credentials

Once access to AWS, credentials and Jenkins are removed shared credentials in credentials repository can be recycled. Main things that need to be renewed:

  • Production tokens for API and search API (require Infrastructure update and re-releasing all apps). Follow the instructions for rotating API keys.
  • Any Digital Marketplace production admin accounts that the user had access to should be either disabled or have their passwords changed (see below)
  • Passwords for user accounts used in the smoke and smoulder tests (use the Rotate functional test account passwords Jenkins job)
  • Shared logins for other tools such as npmjs.com, found in the digitalmarketplace-credentials/pass folder.

Snyk

We use Snyk to monitor vulnerabilities in our dependencies, via email alerts and pre-merge checks of any new dependencies brought in via a pull request. See Vulnerability scanning for details.

Developers can be invited to/removed from Snyk via the ‘Members’ tab of the Digital Marketplace organisation settings. The developer can then log in using their Google account, and select the ‘Digital Marketplace’ organisation from the top drop down box to view the status for each app.

Cloud Security Watch

CSW is a tool developed by the Cyber Security team auditing dayly our AWS accounts for vulnerabilities to their configuration. For a developer to gain access to its web interface, they will need to submit their GDS email address to the tool’s slack channel.

Digital Marketplace administrators

Accounts to access the Digital Marketplace admin app can be managed by logging in to the Digital Marketplace with an account with the “admin-manager” role.

Our production “admin-manager” user credentials are stored in digitalmarketplace-credentials/pass folder. This account can be used to invite new admin users and deactivate or change the permissions for existing admin users.

Leavers

We have a template Trello ticket to help with removing leavers here.

As well as using the trello ticket to remove individual accounts from all of the above services, there should be a GDS Helpdesk ticket to revoke GDS credentials (Google Apps account and email address etc).