GitHub Dynamic Secret
Akeyless supports Dynamic Secrets of GitHub tokens with a well-defined TTL.
The token is generated based on GitHub App information and is known as an installation access token.
In order to define GitHub's Dynamic Secret, you shell first create a GitHub application with the relevant permissions you wish to grant for that just-in-time temporary tokens.
Then, you need to install the app and select the repositories you wish to allow access to.
More information & instructions can be found here.
The Github app is used to enabled a stand-alone app to access GitHub resources.
In our case, it's needed only for generating token access. There is no need to communicate with the web app, so the Homepage URL, Callback URL, and Webhook URL can be filled with some dummy URLs.
Create a Dynamic Secret for GitHub from the CLI
Let’s create a dynamic secret for GitHub using the Akeyless CLI.
akeyless gateway-create-producer-github -u <Your GW URL > --name <secret name> \
--github-app-id < Your GitHub application ID> \
--github-app-private-key <base64-encoded-key> \
--installation-id <Your GitHub Installation ID> \
--token-repositories <GitHub Repositories names> \
--token-permissions <GitHub Permissions e.g. contents=read >
Where:
- name: A unique name for the dynamic secret. The name can include the path to the virtual folder in which you want to create the new secret, using slash
/
separators. If the folder does not exist, it will be created together with the secret. - github-app-id: Your GitHub Application ID.
- github-app-private-key: After you create a GitHub App, you'll need to generate private keys. You'll use the private key to sign access token requests.
- installation-id: Your GitHub application installation ID.
- installation-repository: Repository path in the following format:
<owner/repo>
. Your application installation should have access to this repository. - token-repositories: Allowed repositories.
- token-permissions: - Allowed permission profile for the generated token on your repository. A list of allowed permissions can be found under Properties of the permissions object in this link.
Options
The full list of options for this command is:
-n, --name *Producer name
--installation-id Github application installation id
--installation-repository Optional, instead of installation id, set a GitHub repository '<owner>/<repo-name>'
--target-name Name of existing target to use in producer creation
--github-app-id Github application id
--github-app-private-key Github application private key (base64 encoded key)
--github-base-url[=https://api.github.com/] Github base url
-p, --token-permissions Tokens allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g - "-p contents=read -p issues=write" or -p '{"content":"read"}'
-r, --token-repositories Tokens allowed repositories. By default use installation allowed repositories. To specify multiple repositories use argument multiple times: -r RepoName1 -r RepoName2
-u, --gateway-url[=http://localhost:8000] API Gateway URL (Configuration Management port)
--profile, --token Use a specific profile (located at $HOME/.akeyless/profiles) or a temp access token
--username Optional username for various authentication flows
--password Optional password for various authentication flows
--uid-token The universal identity token, Required only for universal_identity authentication
-h, --help display help information
--json[=false] Set output format to JSON
--no-creds-cleanup[=false] Do not clean local temporary expired creds
Create a Dynamic Secret for GitHub from the Akeyless UI
In the Akeyless Web Console UI, select New > Dynamic Secrets > Infra > GitHub.
Field | Description |
---|---|
Name | A unique name that describes the purpose or permissions scope of this dynamic secret. |
Location | The path in which to store this dynamic secret. |
Installation ID \ Repository path | GitHub application installation ID or Repository path. |
Installation Token Repositories | Tokens allowed repositories. By default use installation allowed repositories, comma-separated. |
Installation Token Permissions | Tokens allowed permissions. By default use installation allowed permissions. Input format: key=value pairs or JSON strings, e.g |
App Private Key | GitHub application private key (base64 encoded key) |
Base URL | GitHub base URL |
Updated 3 months ago