Apart from Github team membership, access to the following things should only be given after Security Clearance has been completed.
Many of these steps involve scripts that need to know where you’ve checked out the
credentials repository. Either preface each command with
export that variable before you start.
There are two main teams in the alphagov Github organization:
- Gives admin access to most digitalmarketplace repositories. Can be given to new developers before their Security Clearance (SC) has been completed.
- Gives access to the private digitalmarketplace-credentials repository - SC only.
AWS accounts are currently used for access to encrypted credentials, accessing CloudWatch logs, S3 (the storage backend) and for managing our Jenkins (CI) box.
Available accounts, roles and the how developers should get themselves set up, are described in AWS accounts and access.
Users are managed using our iam-users Terraform module.
- Edit the
- In the digitalmarketplace-credentials repo add new
users to the correct roles in
- instructions in digitalmarketplace-credentials
- Back in the digitalmarketplace-aws repo, go to
AWS_PROFILE=main-infrastructure make plan
- make sure the changes Terraform will make are sane and represent only your intended alterations
- if not - are your branches up-to-date with master?
- Have PRs approved on the digitalmarketplace-aws and the digitalmarketplace-credentials repo’s.
- Again from
When adding a user, you should now go to the users list in the IAM service, and give them a temporary password so that they can log in to the AWS Console.
- The user must then log in, change their password, and set up their 2FA device - see AWS accounts and access.
Access to the credentials requires access to the repo (either by being a member of the digitalmarketplace-admin Github team or an owner of the alphagov Github organization) and an AWS account with a developer or an admin role.
Removing AWS user account or permissions disables the ability to decrypt the credentials.
Users should sign up for their own account with their work email address. Users can then be invited to the “digitalmarketplace” organisation.
Add or remove users from the list of Jenkins users in jenkins-vars/jenkins.yaml in the credentials repo.
Then, from a checkout of the latest (master) Jenkins repo, apply the change with:
make jenkins TAGS=keys
- This will allow the new user SSH access by adding their Github public key to the jenkins
make jenkins TAGS=config(restarts Jenkins, notify the team and use shutdown mode like when upgrading Jenkins)
- This adds the user as a Jenkins administrator by creating an entry in the config XML for them.
Removing the user from the Jenkins users list also removes their SSH key from the list of authorized keys on the Jenkins instance.
- Users can be invited to the digitalmarketplace PaaS organisation by an OrgManager,
- from the PaaS admin tool. Users can also be removed in the admin.
All security-cleared developers should be added to the
monitoring spaces; we add and
remove developers from the
production spaces as required (e.g. when transitioning on or off
They can be added/removed from a role as follows:
cf set-space-role <user-email> digitalmarketplace <space> SpaceDeveloper cf unset-space-role <user-email> digitalmarketplace <space> SpaceDeveloper
Users should sign up for their own account with their work email address. Users can then be invited to the “Digital Marketplace” service team members.
Users should sign up for their own account with their work email address. Users can be invited to the “Government Digital Service” Mailchimp account. Users will need to set up two-factor authentication to access Mailchimp.
There is a shared developer Mailchimp account for the creation of API keys (see logins.enc in the credentials repo).
Admins users in the Mailchimp account.
If a developer is leaving the team and has a Mailchimp API key linked to their account, ensure a replacement API key has been created using the DM developer account (and is stored in the credentials repo) before removing the user, as any API keys linked to that user’s account will be removed as well.
You can log in to Logit using Google SAML from the Google Apps menu. “Digital Marketplace” team on the GDS Logit account is used to manage access to our preview, staging and production stacks.
We use Snyk to monitor vulnerabilities in our dependencies, via email alerts and pre-merge checks of any new dependencies brought in via a pull request. See Vulnerability scanning for details.
Developers can be invited to/removed from Snyk via the ‘Members’ tab of the Digital Marketplace organisation settings. The developer can then log in using their Google account, and select the ‘Digital Marketplace’ organisation from the top drop down box to view the status for each app.
CSW is a tool developed by the Cyber Security team auditing dayly our AWS accounts for vulnerabilities to their configuration. For a developer to gain access to its web interface, they will need to submit their GDS email address to the tool’s slack channel.
Accounts to access the Digital Marketplace admin app can be managed by logging in to the Digital Marketplace with an account with the “admin-manager” role.
Our production “admin-manager” user credentials are stored in
digitalmarketplace-credentials/pass folder. This
account can be used to invite new admin users and deactivate or change the permissions for existing admin users.