Introduction
-
About
This guide provides instructions on how to:
- Set up Beyond Identity [BI} Authenticator to sign and verify with AWS Devops
- Beyond Identity authenticator with GPG key entitlements can be used to sign and verify code based on typical Devops events like push, pull, etc. This is a powerful tool to ensure security of SDLC process. The event triggers the signature validation process as part of CI/CD pipeline.
- A GPG key generated on BI Authenticator can be used to sign many repositories, but a repository can be signed with only one key.
- The email used to sign must be enrolled in the Beyond Identity tenant.
-
Prerequisites
Ensure that you have the following:
- You have a tenant configured for your organization and able to enroll users.
- Integration with your SSO provider. The instructions are different based on your SSO provider. Please refer to the integration guides available in the below link
https://beyondidentity.atlassian.net/wiki/spaces/CS/pages/1063813121/SSO+Integration+Guides
No need to setup up BI admin console or BI user console
- You have configured source code repository, project and entitled users to pull, commit, merge source code.
- The users who will sign code must enroll with BI tenant and download BI authenticator.
- You already have setup a CI/CD pipeline [optional]
-
Beyond Identity Tenant Configuration
Information to provide to the Beyond Identity Field Team to setup a tenant:
Your Company Name | |
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
-
BI configuration for AWS Devops
- Generate Key management token
- Get authenticator entitlement to generate GPG keys
- Generate GPG Key
- Set repository path on the authenticator
-
Generate key management token
Beyond Identity Field Team: Please generate key management token through Beyond Identity Support Console for the tenant. This token will be used in the CI/CD pipeline as the value of BYNDID_KEY_MGMT_API_TOKEN in later steps.
-
Get authenticator entitlement to generate GPG keys
- Ensure “Commit-Signing” is enabled for the tenant. This can be done through the support console and BI SME can help with this.
- After this is enabled, any members of the Super administrator group in Beyond identity admin console should create a group with the exact name of “BI_SDO_GPG_Key_Creation”
- Members of “BI_SDO_GPG_Key_Creation” group will be entitled to generate GPG keys and configure repository paths
- Using Beyond Identity admin console, add users to this group. These users will see “GPG keys” in their platform authenticator as shown below
On clicking “GPG Keys” link, you should see a screen with options to create GPG keys and configure
Click “Create”
Ensure the email address matches the email configured to perform git operations. You can omit the expiration date
-
Set Repository Path on the authenticator
After creating the key, you should see the key in the Authenticator and “…” to the right. Click “…” and choose “Set repository”.
Browse to the local path of the repository root and click Configure.
-
AWS
The components of AWS Devops eco system used in Beyond Identity SDO integration are described below
Component | Use |
“AWS CodeCommit is a fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.” AWS codecommit is the code repository. | |
“AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy. “. | |
“AWS CodePipeline is a continuous integration and continuous delivery service for fast and reliable application and infrastructure updates. CodePipeline builds, tests, and deploys your code every time there is a code change, based on the release process models you define.” The CI/CD pipeline configured with “buildspec.yml” |
- Create an AWS account and add the account to roles with full permissions to CodeCommit, Codebuild and CodePipeline
- Create GIT credentials for the IAM user. This credential will be used with the git commands such as git clone, commit and push
- Create code repository with AWS CodeCommit
- Add a “buildspec.yml” in the root of the repository. The buildspec file specifies the command “/bin/action” run with BI docker image for code sign verification.
- buildspec.yml file contents
version: 0.2
phases:
install:
commands:
- echo "install"
pre_build:
commands:
- echo "pre build"
build:
commands:
- echo "build"
- /bin/action
- Create and configure a build project with AWS CodeBuild
- Specify AWS CodeCommit as the source provider and the repository created earlier as the repository.
- Select Reference Type as “Branch” and choose “main” as the branch,
- Select “Custom Image” under “Environment Image”. Under “Image registry”, choose “Other registry”.
- Type “byndid/auth-commit-sig:0.4.1-debian” as the value for External registry URL. This is the Beyond Identity container image performing code sign verification.
- Add an environment variable API_TOKEN with value generated in step 4.1
- Under “Buildspec”, choose “Use a buildspec file”
- Create a CodePipeline
- Choose pipeline settings
- Pipeline name in this example, helloworldpipeline
- New Service Role
- Allow AWS CodePipeline to create a new role
- Artifact store: Default Location
- Encryption Key: Default AWS managed key
- Source provider: AWS CodeCommit
- Repository name: helloworld
- Change Detection options: AWS CodePipeline
- Under “Output artifact format”, choose “Full Clone”. This choice makes the metadata available to Beyond Identity container.
- Choose “Deploy skip stage”
- Test Run
- Clone code
- Set repository path on the GPG key in the authenticator
- Make changes to files
- Add
- Commit with Sign
- Push
- Check Build history on AWS CodeBuild. You should see the job “succeeded”
-
Appendix
AWS Devops Prerequisites.
- Create an account
- Use the same email account that you will use to code sign/verify
- Create a repository
- Sign in with the same email account that you will use to code sign/verify
- You should have privileges to clone, modify, commit changes.
-
Create an account
- AWS Devops: https://portal.aws.amazon.com/billing/signup#/start
-
Create Repository
- AWS CodeCommit: https://aws.amazon.com/codecommit/
- AWS Devops: https://aws.amazon.com/devops/
-
Starting with Git
Comments
0 comments
Please sign in to leave a comment.