CircleCI Field Guide
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Introduction
  2. /
  3. Advanced Concepts
  4. /
  5. C.E.R.A. - CirlcleCI Enterprise Reference Architecture
  6. /
  7. CERA Permissions
Edit page

CERA Permissions

AWS Access

See [Running your own] for initial setup. ONce provisioned the environment exposes two key roles available for assumption - Operator and Pipeline.

Pipeline Access

The Pipeline will use CircleCI OIDC tokens and the provisioned policies to assume our Pipeline Policy, which grants relatively extensive rights in the account. That is because only reviewed/approved changes ever get to use this access.

Operator Access

The Operator (devs) will use SSO or AWS Access Keys to login as a role (provided to CERA) that can then assume the shared operator role.

The operator role is limited to EKS operations mostly, not broader AWS actions.

Break the glass

Operators can specify a “break the glass” variable to escalate their ability to assume the pipeline role, instead of operator role.

Sample AWS Config

Below is a sample AWS profile with the 3 roles an operator would use (one login, 2 assumed)

[profile pipeline-btg]
# The Pipeline "Break the Glass" role only works when IaC switches it on. 
# It gets full rights of pipeline role, which is extensive AWS access.
role_arn = arn:aws:iam::12345789:role/cera-fe-pipeline-role
role_session_name = Operator_BTG_Session
region = us-west-2
sso_start_url = https://circleci.awsapps.com/start
sso_region = us-east-1
# We assume this role through the primary role (via a trust policy)
source_profile = field

[profile operator]
# The operator role will enable juse enough AWS access to support operations of EKS cluster.
role_arn = arn:aws:iam::12345789:role/cera-fe-operator-role
role_session_name = Operator_Pipeline_Session
region = us-west-2
sso_start_url = https://circleci.awsapps.com/start
sso_region = us-east-1
# We assume this role through the primary role (via a trust policy)
source_profile = field

[profile field]
# The 'priamry' role is the one access via SSO, same as console role.
sso_start_url = https://circleci.awsapps.com/start
sso_region = us-east-1
sso_account_id = 12345789
# Can login directly to this role provided by IT.
sso_role_name = admin-provided-role-for-sso
region = us-east-2
output = json
credential_process = aws-vault exec --json

K8s Access

Operators

Through AWS access (above) operators can run aws eks update-kubeconfig command to get a valid kubectl access file.

App Teams

App teams interactions to K8s are limited to pipelines. Application pipelines (see demo apps) use OIDC tokens to get k8s credentials from Vault.

An app team can SSH Debug their app runs to use those same K8s credentials for debugging limited to their own namespace.

Tool Access

Vault Access

Apps

Apps use their CircleCI OIDC token to get access to proper secret paths in Vault. See “App teama access” above.

Admin

If you need root access, the root token for Vault is stored in a secret in the same namespace.

Nexus Access

Admin user

The password for admin user is set at deploy, and should be stored in a team vault.