aws

2022-04-21T14:46:06.179429Z

What's the current best practice to get github credentials to an EC2 instance? I need to pull from private github repos. My current thinking is: Put the github ssh private key into Secrets Manager, restrict it's access to a IAM role that you give to the instance profile of the EC2 instance, then run a script on the instance that fetches the secret and saves it

lukasz 2022-04-21T14:47:51.036389Z

We're doing something like that - let me check how we solved it

lukasz 2022-04-21T14:55:45.752439Z

So, each team member that requires access has to generate a new key pair used only for access to the bastion instance. The same key is added to GH to allow pull/push. And lastly, we have a cloudinit template that creates ~/.ssh/authorized_keys for each user automatically on instance creation. So don't need to worry about private keys really, as long as individuals take care of securing them on their end.

jumar 2022-04-21T15:07:15.186779Z

If there's a user on behalf of whom you're doing the clone then OAuth is a common choice

2022-04-21T15:59:06.445519Z

So github deploy keys would be added for each project for each user that works on it right?

lukasz 2022-04-21T16:00:36.360239Z

Yes, that's how all CI systems automate this, there's an API to generate a key for deploy-only scenarios I believe - not something I worked with

2022-04-21T16:00:54.165619Z

Cool, thanks for the input!

lukasz 2022-04-21T16:08:32.735029Z

(as an aside: we have factored out GitHub out of deployments completely, but using Docker containers - and "fat" Debian packages before that)