Previously the metadata bucket was used for both the rebuilt artifacts and also the build info/docker file.
This gave cloud build unnecessary access to both the build info and the dockerfile which are both written and read by the orchestrator.
After this PR, cloud build only has Create access to the newly created rebuild-artifacts bucket. That bucket only stores:
The rebuilt artifact.
The docker image used for the build.
Further, cloud build no longer has access to the metadata bucket, which contains the build info and docker file. Because it's only used locally to the orchestrator, I considered switching it to a filesystem or in-memory asset store, except we want these assets available for debugging so I'm keeping it as a bucket for now.
One interesting affect of this PR, is that verifier.SummarizeArtifacts only requires rebuildStore and verifier.CreateAttestations only requires the metadata store, clearly distinguishing where each of those steps get their input.
This further reduces the already tightly restricted permissions afforded the the cloud build role.
Previously the metadata bucket was used for both the rebuilt artifacts and also the build info/docker file.
This gave cloud build unnecessary access to both the build info and the dockerfile which are both written and read by the orchestrator.
After this PR, cloud build only has Create access to the newly created rebuild-artifacts bucket. That bucket only stores:
Further, cloud build no longer has access to the metadata bucket, which contains the build info and docker file. Because it's only used locally to the orchestrator, I considered switching it to a filesystem or in-memory asset store, except we want these assets available for debugging so I'm keeping it as a bucket for now.
One interesting affect of this PR, is that
verifier.SummarizeArtifactsonly requiresrebuildStoreandverifier.CreateAttestationsonly requires the metadata store, clearly distinguishing where each of those steps get their input.This further reduces the already tightly restricted permissions afforded the the cloud build role.