Establish access for nix release process

[arianvp]

Currently it seems nix releases are done with an IAM user called tmp-eelco-nix-release . This user was recently created (after we did the audit and cleanup of all the IAM users at the start of the year).

We do not want to use IAM users anymore; as they expose long-lived credentials which if leaked need to be actively rotated.

Instead all access by humans should go through IAM identity center; which only gives you temporary credential.

Credentials can be used in CLI using:

aws configure sso

and if the tool you're using doesn't support SSO credential chain:

source $(aws configure export-credentials)

Lets help nix team to work with this new workflow. Or even better: have CI do the release process and not human?

[arianvp]

cc @edolstra I accidentally deleted your account on IAM Identity Center just now during cleanup as I wasn't aware you were still actively using AWS access for Nix releases. I can re-add you with the right permissions and then you should be able to do the release process through the the above workflow. Can you send me the email address that you would like to use for this user in Matrix? Until then you can keep using the tmp-eelco-nix-release user which I assume is the one you're using for releases atm.

[arianvp]

The current policy for the nix-releases bucket is the following:

the s3-upload-releases user has access to it

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::nix-releases/*"
        },
        {
            "Sid": "AllowPublicList",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::nix-releases"
        },
        {
            "Sid": "AllowUpload",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::080433136561:user/s3-upload-releases",
                    "arn:aws:iam::065343343465:user/nixos-s3-upload-releases"
                ]
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::nix-releases/*"
        }
    ]
}

[arianvp]

arn:aws:iam::080433136561:user/s3-upload-releases exists.

arn:aws:iam::065343343465:user/nixos-s3-upload-releases does not exist.

Pluto has access to s3-upload-releases through the

infra/build/secrets.nix

Line 10 in 60f048b

hydra-mirror-aws-credentials = [ machines.pluto ];

secret