Fork me on GitHub
#aws
<
2022-04-21
>
jjttjj14:04:06

What's the current best practice to get github credentials to an EC2 instance? I need to pull from private github repos. My current thinking is: Put the github ssh private key into Secrets Manager, restrict it's access to a IAM role that you give to the instance profile of the EC2 instance, then run a script on the instance that fetches the secret and saves it

lukasz14:04:51

We're doing something like that - let me check how we solved it

lukasz14:04:45

So, each team member that requires access has to generate a new key pair used only for access to the bastion instance. The same key is added to GH to allow pull/push. And lastly, we have a cloudinit template that creates ~/.ssh/authorized_keys for each user automatically on instance creation. So don't need to worry about private keys really, as long as individuals take care of securing them on their end.

jumar15:04:15

If there's a user on behalf of whom you're doing the clone then OAuth is a common choice

jjttjj15:04:06

So github deploy keys would be added for each project for each user that works on it right?

lukasz16:04:36

Yes, that's how all CI systems automate this, there's an API to generate a key for deploy-only scenarios I believe - not something I worked with

jjttjj16:04:54

Cool, thanks for the input!

lukasz16:04:32

(as an aside: we have factored out GitHub out of deployments completely, but using Docker containers - and "fat" Debian packages before that)