Surveyor: Default Access Credentials for AWS

Question

Surveyor: Default Access Credentials for AWS

Closed this issue 2 years ago · 7 comments

@TutiGomoka noticed an issue in the running of the "attendance survey" Github Action related to the MTurk Surveyor framework

from the error messages, we believe this issue has to do with expired or otherwise non functioning AWS Credentials
In the Surveyor repository, the AWS credentials were set explicitly in as encrypted secrets ("AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY")...if these are associated with the IAM User Sumant created ("sumants"), we should consider replacing these with credentials from a "generic" user and document more clearly its purpose (for specific use with Surveyor for example)
sample of error from Github Actions: https://github.com/Watts-Lab/surveyor/runs/6882342735?check_suite_focus=true#step:7:12
Locally verify and replicate issue with existing AWS Credentials from Github Actions
Create new AWS Credentials with same access as sumants
Locally verify that new credentials can run necessary AWS commands
Add new credentials to Surveyor Repo, replacing old ones
Test "attendance survey" Github action

Notes:

"Attendance survey" action: https://github.com/Watts-Lab/surveyor/blob/main/.github/workflows/deploy.yml
Surveyor repo: https://github.com/Watts-Lab/surveyor/

Answer 1 · 2022-06-14T15:17:42.000Z

Just as a quick check, can we see if any keys that @sumants-dev was using have been expired?

And either way, we should easily be able to create a new set and try them out, right?

Why I mention this is that I wonder if the problem is something else, and if so, the key aspect shouldn't hold us up too much, right?

Answer 2 · 2022-06-14T15:30:07.000Z

Yes, there is an active credential under @sumants-dev: https://us-east-1.console.aws.amazon.com/iam/home#/users/sumants?section=security_credentials. The credentials is not expired though. However, I can't verify that these are the same keys that are used in the Github actions since the credentials used are stored as Github Secrets, which Github does not allow you to access once set.

Yup, I'm going to try just creating a new set of credentials and trying those first.

Answer 3 · 2022-06-14T15:48:47.000Z

OK. Interesting. We should be able to see if those credentials were recently used.

Answer 4 · 2022-06-14T15:49:14.000Z

BTW, I'm fine with you creating new ones for the resource and putting those there too! Thank you!

Answer 5 · 2022-06-14T18:18:12.000Z

I tested some new credentials from the sumants IAM user and they work as expected.

I'll update the default AWS Credentials in the Surveyor repo, and we can test the "attendance survey"

Answer 6 · 2022-06-14T18:19:46.000Z

Great, thanks!

Answer 7 · 2022-06-14T18:47:15.000Z

Looks like we're good to go. I replaced the AWS credentials cited in the Github action YML file, and @TutiGomoka and I just tested the jobs we needed to run.

https://github.com/Watts-Lab/surveyor/blob/main/.github/workflows/deploy.yml

I'll follow up with a few more thoughts here