Rules for getting production access
In the GOV.UK programme we restrict access to production systems for new or returning developers, SREs, and technical architects. We do so to defend against accidental mistakes and to provide time for people build knowledge in how to interact with our production systems safely. Note we have separate processes to protect against malicious activity, for example security clearance, probation, building secure systems with audibility etc.
Types of production access
We have two types of production access:
Production Deploy access
This level of access allows engineers to deploy code but not administer admin related systems. It should be granted to both civil servants and contractors as needed.
- Permission to deploy apps in Jenkins via the GOV.UK Production Deploy Github team
- Permission to merge pull requests in continuously deployed applications
- Readonly access to logging systems such as Logit, etc.
- AWS readonly access via the
role_user_user_arnsrole in Staging and Production
- “Normal” role in to GOV.UK Signon on Staging and Production (with app permissions granted as needed)
The steps above are outlined in the GOV.UK Production Deploy template Trello card, which can be copied to your team’s board and carried out by developers. You can ask 2nd line for help if you have any access issues.
When you get Production Deploy access
Access should be granted at the discretion of the engineer’s tech lead, once the engineer has the required level of security clearance (BPSS). Before approving access, tech leads should ensure that the engineer:
- is aware of our processes and standards around code review
- understands the responsibilities that releasing code brings with it
- knows how to roll back to an older release if there are any issues
- knows how to get help from someone with more access if they need it
Production Admin access
- Permission to read & write production and staging hieradata in govuk-secrets using GPG
- Permission to read & write to the password store in govuk-secrets store using GPG
- Access to Production Deploy Jenkins and Staging Deploy Jenkins to deploy applications via the GOV.UK Production GitHub team
- SSH access to production and staging servers via govuk-puppet
- Privileged AWS Access in Production, Staging and Tools environments (via the
- Google Cloud Platform (GCP) access to role to manage static mirrors and DNS
- Signon “Super Admin” access in production
engineerand “Access all services” permissions in Fastly
- GOV.UK PaaS Space developer and
Org manageraccess to all spaces in the govuk_development and data-gov-uk organisations
- Sentry “Manager” role to administer teams and people
The steps above are outlined in the GOV.UK Production Admin template Trello card, which is normally given whilst on 2nd line.
When you get Production Admin access
- You have a minimum of BPSS security clearance (blue building pass), AND
- You have passed your probation period, AND
- You have had at least one Technical 2nd Line shadow shift
Once these conditions are met, you will be drafted onto one last Technical 2nd Line shadow shift, where you will be granted supervised Production Admin access. You will need to ensure the Primary or Secondary supervises you whenever you use that access.
At the end of your shadow shift, you will retain your Production Admin access, and will no longer need to be supervised. However, you should ensure you are careful with the new access, and seek the support of your tech lead or your team whenever you’re in doubt.
Note that a Lead Developer or the Head of Technology is able to approve Production Admin access for individuals who may not have met all of the conditions above, where there is a business case to do so. In these cases, access should ideally be supervised at all times, and revoked after a pre-determined period of time.
Rules for Primary, Secondary and On Call
Once you have Production Admin access, you’ll be given the Secondary role on your next Technical 2nd line shift.
After two sessions as Secondary, you will be drafted onto the 2nd line on-call rota. You will also begin to fill the Primary role on some in-hours shifts.
Temporarily revoking access
If you’re absent more than 6 weeks, your access will be revoked. See the Trello leaver template card for the steps.