@aaronstillwell I think y’all have to hit “Revoke all user tokens” on your Github app, as per @bwalding 's comment. As Github Enterprise customers, if we deauthorize the CircleCI app for our org, or remove engineers from our org, the CircleCI tokens stop having access to company resources. Cool! That’s what we want.
But if we reinstate those engineers or re-enable the app for our org, the potentially-compromised tokens start working again. Users do not have to re-authorize CircleCI with Github to continue using CircleCI and see company projects and resources. The compromised tokens do not get fully invalidated when the users or app gets removed.
So in short, it looks like there is nothing we can do, even as Github Business / Enterprise owners to nuke the Github access tokens provisioned by CircleCI. But if y’all hit that button, users should have to re-authorize and the potentially-compromised tokens should be nuked. Please hit it ASAP. Thanks!
We recommend checking your audit logs on Github to see if repo were accessed. If the key used for decryption was stored as a secret you will want to rotate.
Is there any way of extracting the legacy AWS_ACCESS_KEY_ID from CircleCI? The UI gives the option to delete the legacy AWS credentials, but you can’t actually see what the ID is. This is important to be able to revoke/rotate the affected AWS access key. Is there an API/UI for finding this information?
I know there is the option of making a config.yml which spits out the value, but that doesn’t scale well for many repos.
Following the steps in our support article, we recommend rotating all secrets listed in that page out of an abundance of caution.
Additionally, we’ve updated the page to share that we’re rotating all GitHub OAuth tokens for all users, and will provide an update when the process is complete.
The wording in the article for API tokens says rotated which to me sounded like a new token was generated in its place. But do you really mean tokens were removed?
Also, this broke a lot of my automation suddenly. I am surprised there was no warning on this. We were using API token auth to rotate our secrets…
Our team is working to take every action available to assist customers in the mitigation of this incident.
Since our last update, our team has addressed the following areas on behalf of customers:
Personal and Project API Tokens: We have removed all Personal and Project API Tokens created before 00:00 UTC on January 5, 2023.
Bitbucket OAuth: As of 10:00 UTC on January 6, 2023 our partners at Atlassian expired all OAuth tokens for Bitbucket users. Bitbucket tokens will refresh for users upon login, and no additional action is needed here. Bitbucket users will still need to replace SSH tokens.
GitHub OAuth: We are currently rotating all GitHub OAuth tokens on behalf of customers. We expect this process to be complete by 00:00 UTC on Jan 7, 2023. We will update here when this process is done. Customers who wish to rotate their own GitHub OAuth tokens may follow the directions below.
Yes, we’ve kicked off a queue of all users to rotate in addition to the notice sent. So it’s possible a manually rotated token will be rotated again, but there is no detriment or issue with rotating tokens multiple times. Sorry for any confusion this may cause!
Be careful doing this. As others have mentioned, if you have Bitbucket, be prepared to wait for a few days for free support to help you, or pony up for premium support.
That’s because CircleCI will NOT remove the Bitbucket integration on their end and your projects will error. According to everything we’ve learned, only CircleCI can remove what are essentially “ghost tokens.” So, we have to wait…
For this particular matter, we’re making sure free accounts are being addressed as quickly as possible. If you haven’t heard back yet, please feel free to shoot me a message here with the ticket ID and/or the subject line.
@DrTorte thank you for the quick reply. My ticket number is 124712. You can also see additional information (and more people affected) here: Cannot reconnect BitBucket account
Hey Andy, we just updated the language in the support article to better reflect the latest updates in the blog post and the FAQ Compilation. To confirm though, CircleCI has revoked all personal and project API tokens created before 00:00 UTC on January 5, 2023.
Apologies for my late reply and the disruption this has caused; this could be communicated more clearly going forward.
I would definitely suggest rotating these as well. I’m afraid that you are correct in regards to how to get them out. If it is a private project, one of our colleagues created an (unofficial) config that might be helpful:
Absolutely do NOT run this on a public repo. And as with anything else, please make sure you look through it before you use it so that you can validate it.
In regards to your SSH key, that seems unusual and not as expected. Would you mind trying again? If it doesn’t delete properly, could you let us know where you’re seeing them?
In regards to builds breaking this morning: If the Personal or Project API Tokens used were created before January 5th, 00:00 UTC, then they would have been removed.
If the tokens were from after that point, though, they should not have been revoked. Is there a more specific error message?