What's the current best practice to get github credentials to an EC2 instance? I need to pull from private github repos. My current thinking is: Put the github ssh private key into Secrets Manager, restrict it's access to a IAM role that you give to the instance profile of the EC2 instance, then run a script on the instance that fetches the secret and saves it
We're doing something like that - let me check how we solved it
So, each team member that requires access has to generate a new key pair used only for access to the bastion instance. The same key is added to GH to allow pull/push. And lastly, we have a cloudinit template that creates ~/.ssh/authorized_keys for each user automatically on instance creation. So don't need to worry about private keys really, as long as individuals take care of securing them on their end.
If there's a user on behalf of whom you're doing the clone then OAuth is a common choice
So github deploy keys would be added for each project for each user that works on it right?
Yes, that's how all CI systems automate this, there's an API to generate a key for deploy-only scenarios I believe - not something I worked with
Cool, thanks for the input!
(as an aside: we have factored out GitHub out of deployments completely, but using Docker containers - and "fat" Debian packages before that)