WPB-11617: Setup a scoped user for cargohold (#814)

sghosh23 · web-flow · commit 252bd07d6f5b · 2025-10-02T16:38:32.000+01:00
* feat: add cargohold IAM setup

* feat: add changelog entry for cargohold IAM setup

* update the comments

* remove the flag from zauth cmd

* remove the delete object permission from th policy
diff --git a/ansible/minio.yml b/ansible/minio.yml
@@ -24,6 +24,9 @@
       # The second minio instance on this server.
       server2:
         server_addr: ":9092"
+    # Cargohold IAM setup
+    cargohold_policy_name: "cargohold-assets-policy"
+    cargohold_user_name: "cargohold-user"
   roles:
     - role: ansible-minio
       minio_layout: server1
@@ -60,12 +63,79 @@
       run_once: true
       tags: mc-config
 
+    # Cargohold IAM Setup
+    - name: "Create cargohold policy file"
+      copy:
+        content: |
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Action": [
+                  "s3:GetObject",
+                  "s3:PutObject",
+                  "s3:ListBucket"
+                ],
+                "Resource": [
+                  "arn:aws:s3:::assets",
+                  "arn:aws:s3:::assets/*"
+                ]
+              }
+            ]
+          }
+        dest: "/tmp/{{ cargohold_policy_name }}.json"
+      run_once: true
+      tags: cargohold-iam
+
+    - name: "Add cargohold policy to MinIO"
+      shell: "mc admin policy create local {{ cargohold_policy_name }} /tmp/{{ cargohold_policy_name }}.json"
+      run_once: true
+      ignore_errors: yes # Policy might already be attached, which is fine
+      tags: cargohold-iam
+
+    - name: "Generate random password for cargohold user"
+      set_fact:
+        cargohold_temp_password: "{{ 999999999999999999999 | random | to_uuid }}"
+      run_once: true
+      tags: cargohold-iam
+
+    - name: "Create cargohold IAM user"
+      shell: "mc admin user add local {{ cargohold_user_name }} {{ cargohold_temp_password }}"
+      run_once: true
+      ignore_errors: yes # Will fail if user already exists, which is fine
+      tags: cargohold-iam
+
+    - name: "Attach policy to cargohold user"
+      shell: "mc admin policy attach local {{ cargohold_policy_name }} --user {{ cargohold_user_name }}"
+      run_once: true
+      ignore_errors: yes # Policy might already be attached
+      tags: cargohold-iam
+
+    - name: "Create service account for cargohold with specific access key"
+      shell: "mc admin user svcacct add --access-key {{ minio_cargohold_access_key }} --secret-key {{ minio_cargohold_secret_key }} local {{ cargohold_user_name }}"
+      run_once: true
+      register: cargohold_svcacct_result
+      ignore_errors: yes # Will fail if key already exists, which is fine
+      tags: cargohold-iam
+
+    - name: "Verify cargohold service account"
+      shell: "mc admin user svcacct ls local {{ cargohold_user_name }}"
+      run_once: true
+      register: cargohold_svcacct_list
+      tags: cargohold-iam
+
+    - name: "List cargohold service accounts"
+      debug:
+        var: cargohold_svcacct_list.stdout
+      tags: cargohold-iam
     - name: "remove unneeded config aliases added by default"
       shell: "mc config host rm {{ item }}"
       with_items:
         - gcs
         - s3
         - play
+      ignore_errors: yes
       tags: mc-config
 
   # This play has to run after minio is installed and buckets are configured
diff --git a/bin/offline-secrets.sh b/bin/offline-secrets.sh
@@ -12,6 +12,9 @@ zrest="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 64)"
 minio_access_key="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20)"
 minio_secret_key="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 42)"
 
+minio_cargohold_access_key="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20)"
+minio_cargohold_secret_key="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 30)"
+
 zauth="$(sudo docker run $ZAUTH_CONTAINER -m gen-keypair)"
 
 zauth_public=$(echo "$zauth" | awk 'NR==1{ print $2}')
@@ -46,8 +49,8 @@ brig:
       secret: "dummy"
 cargohold:
   secrets:
-    awsKeyId: "$minio_access_key"
-    awsSecretKey: "$minio_secret_key"
+    awsKeyId: "$minio_cargohold_access_key"
+    awsSecretKey: "$minio_cargohold_secret_key"
     rabbitmq:
       username: wire-server
       password: verysecurepassword
@@ -94,6 +97,8 @@ if [[ ! -f $ANSIBLE_DIR/inventory/offline/group_vars/all/secrets.yaml ]]; then
   cat << EOT > $ANSIBLE_DIR/inventory/offline/group_vars/all/secrets.yaml
 minio_access_key: "$minio_access_key"
 minio_secret_key: "$minio_secret_key"
+minio_cargohold_access_key: "$minio_cargohold_access_key"
+minio_cargohold_secret_key: "$minio_cargohold_secret_key"
 EOT
 fi
 
diff --git a/changelog.d/0-release-notes/add-iam-user-for-cargohold b/changelog.d/0-release-notes/add-iam-user-for-cargohold
@@ -0,0 +1 @@
+Changed: cargohold service will use the scoped `cargohold user` with least privilege, so that it has the necessary access to its bucket `assets` only
diff --git a/values/wire-server/prod-secrets.example.yaml b/values/wire-server/prod-secrets.example.yaml
@@ -35,9 +35,10 @@ cannon:
 
 cargohold:
   secrets:
-    # these only need to be changed if using real AWS services
-    awsKeyId: dummykey
-    awsSecretKey: dummysecret
+    # Change the awsKeyId and awsSecretKey with the IAM user credentials for cargohold
+    # Get the secrets and key from the ansible/inventory/offline/group_vars/all/secrets.yml
+    awsKeyId: dummykey # replace with minio_cargohold_access_key
+    awsSecretKey: dummysecret # replace with minio_cargohold_secret_key
     rabbitmq:
       username: wire-server
       password: verysecurepassword

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Changed: cargohold service will use the scoped `cargohold user` with least privilege, so that it has the necessary access to its bucket `assets` only