GitHub Dynamic Secret

Akeyless supports Dynamic Secrets of GitHub tokens with a well-defined TTL.

The token is generated based on GitHub App information and is known as an installation access token.

In order to define GitHub's Dynamic Secret, you shell first create a GitHub application with the relevant permissions you wish to grant for that just-in-time temporary tokens.
Then, you need to install the app and select the repositories you wish to allow access to.

More information & instructions can be found here.

The Github app is used to enabled a stand-alone app to access GitHub resources.
In our case, it's needed only for generating token access. There is no need to communicate with the web app, so the Homepage URL, Callback URL, and Webhook URL can be filled with some dummy URLs.

Create a Dynamic Secret for GitHub from the CLI

Let’s create a dynamic secret for GitHub using the Akeyless CLI.

akeyless gateway-create-producer-github -u <Your GW URL > --name <secret name> \
--github-app-id < Your GitHub application ID> \
--github-app-private-key <base64-encoded-key> \
--installation-id <Your GitHub Installation ID> \
--token-repositories <GitHub Repositories names> \
--token-permissions <GitHub Permissions e.g. contents=read >

Where:

  • name: A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash / separators. If the folder does not exist, it will be created together with the secret.
  • github-app-id: Your GitHub Application ID.
  • github-app-private-key: After you create a GitHub App, you'll need to generate private keys. You'll use the private key to sign access token requests.
  • installation-id: Your GitHub application installation ID.
  • installation-repository: Repository path in the following format: <owner/repo>. Your application installation should have access to this repository.
  • token-repositories: Allowed repositories.
  • token-permissions: - Allowed permission profile for the generated token on your repository. A list of allowed permissions can be found under Properties of the permissions object in this link.

Options

The full list of options for this command is:

-n, --name                                       *Producer name
      --installation-id                             Github application installation id
      --installation-repository                     Optional, instead of installation id, set a GitHub repository '<owner>/<repo-name>'
      --target-name                                 Name of existing target to use in producer creation
      --github-app-id                               Github application id
      --github-app-private-key                      Github application private key (base64 encoded key)
      --github-base-url[=https://api.github.com/]   Github base url
  -p, --token-permissions                           Tokens allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - "-p contents=read -p issues=write" or -p '{"content":"read"}'
  -r, --token-repositories                          Tokens allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName1 -r RepoName2
  -u, --gateway-url[=http://localhost:8000]         API Gateway URL (Configuration Management port)
      --profile, --token                            Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
      --username                                    Optional username for various authentication flows
      --password                                    Optional password for various authentication flows
      --uid-token                                   The universal identity token, Required only for universal_identity authentication
  -h, --help                                        display help information
      --json[=false]                                Set output format to JSON
      --no-creds-cleanup[=false]                    Do not clean local temporary expired creds

Create a Dynamic Secret for GitHub from the Akeyless UI

In the Akeyless Web Console UI, select New > Dynamic Secrets > Infra > GitHub.

Field

Description

Name

A unique name that describes the purpose or permissions scope of this dynamic secret.

Location

The path in which to store this dynamic secret.

Installation ID \ Repository path

GitHub application installation ID or Repository path.

Installation Token Repositories

Tokens allowed repositories. By default use installation allowed repositories, comma-separated.

Installation Token Permissions

Tokens allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g {"content":"read"}

App Private Key

GitHub application private key (base64 encoded key)

Base URL

GitHub base URL https://api.github.com


Did this page help you?