[User Story] Create separate Bitwarden machine accounts per environment #66
Description
Story Summary
As a platform maintainer, I want separate Bitwarden machine accounts for each environment, so that each CI/CD pipeline only has access to its environment's secrets.
✅ Acceptance Criteria
- Create Bitwarden machine accounts:
ghost-sysext-dev- access to dev R2 credentials onlyghost-sysext-staging- access to staging R2 credentials onlyghost-sysext-prod- access to prod R2 credentials only
- Store R2 credentials in Bitwarden with environment-specific secret IDs:
R2_ACCESS_KEY_ID_DEV/R2_SECRET_ACCESS_KEY_DEVR2_ACCESS_KEY_ID_STAGING/R2_SECRET_ACCESS_KEY_STAGINGR2_ACCESS_KEY_ID_PROD/R2_SECRET_ACCESS_KEY_PROD
- Configure machine account access so each only sees its environment's secrets
- Add GitHub repository secrets:
BWS_ACCESS_TOKEN_DEVBWS_ACCESS_TOKEN_STAGINGBWS_ACCESS_TOKEN_PROD
- Document the secret ID mappings for the fetch-secrets.sh script
📝 Additional Context
- Depends on GHO-39 (R2 buckets and API tokens must exist first)
- This provides defense-in-depth: even if a BWS token is compromised, it can only access one environment
- The CLOUDFLARE_ACCOUNT_ID can remain shared since it's not sensitive
- Current implementation uses a single BWS_ACCESS_TOKEN for all environments
📦 Definition of Ready
- Acceptance criteria defined
- No unresolved external dependencies (blocked by GHO-39)
- Story is estimated
- Team has necessary skills and access
- Priority is clear
- Business value understood
✅ Definition of Done
- All acceptance criteria met
- Unit/integration tests written & passing
- Peer-reviewed (PR approved)
- Docs updated (if applicable)
- Verified in staging (if needed)
- No critical bugs/regressions
Metadata
Metadata
Assignees
Labels
No labels