Skip to main content

Use ghrawel to deploy an AWS API Gateway RestAPI capable of returning GitHub App installation access tokens and use AWS IAM to control access to this API.

Project description

npm (scoped) Nuget PyPI GitHub release (latest SemVer)

ghrawel

ghrawel will aim to provide components that help integrate GitHub and AWS using primarily AWS CDK and minimal application code.

Token Provider

Use this to deploy an AWS API Gateway RestAPI capable of returning GitHub App installation access tokens and use AWS IAM to control access to this API.

Table of Contents

Use case

The private key belonging to a GitHub App can be used to create installation access tokens that only contains a selection of the permissions that the GitHub App has been granted and also for a limited number of repositories that the GitHub App has been installed in. This installation access token has a maximum lifetime of an hour and can revoke itself.

Use ghrawel to control access to sensitive GitHub API credentials within an AWS and GitHub Actions environments, when such requirements exist.

When not to use this

Creating PATs or GitHub App Private keys is easy and they are simple to use whether stored in AWS or as a GitHub secret. Using this solution introduces new components and complexity that has to be managed and such a thing is not always worth it.

How it works

An application or a GitHub Actions workflow with access to AWS IAM Credentials initiates the sequence of events by signing a HTTP request with those credentials.

sequenceDiagram
    autonumber
    participant HTTP as HTTP Request
    participant App as Application/GHA
    note over App: Has AWS IAM Credentials
    participant API as API Gateway
    participant Authorizer as IAM Authorizer
    participant Lambda as Lambda
    participant GitHub as GitHub API
    App->>HTTP: Create and Sign
    App->>API: Send Request
    API->>Authorizer: Authorization
    alt if not authorized
        API-->>App: 401
    end
    API->>Lambda: Forward Authorized Request
    Lambda->>Lambda: Additional validation
    alt if validation fails
        Lambda-->>API: 400 Bad Request
        API-->>App: 400 Bad Request
    end
    Lambda->>GitHub: Request Token
    Lambda->>API: Token Response
    API->>App: Token Response
    App->>GitHub: Uses token

Setup

[!NOTE] The machine deploying will require docker as catnekaise/ghrawel-tokenprovider-lambda-go will be built to run in the lambda function. See Dockerfile and application for more.

[!NOTE] This guide assumes some familiarity with AWS CDK.

This test setup can be tested with a GitHub App that only has access to a single test repository in GitHub and this repository (and app) can be on your user instead of in your organization.

Costs

Assuming that you make 10 000 requests using this test setup, the cost of lambda and cloudwatch is covered under the free tier. The cost of the API Gateway RestApi will be between free and 0.035$ depending on how old the AWS Account is. Depending on your AWS Environment there could be charges for CloudTrail, Config, other tools and any custom automations that might create additional resources based on the resources deployed. It's best to test this is a sandbox account.

There are no charges related to GitHub.

1. GitHub

https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app

For our testing purposes we need to create a test repository and a GitHub App. The app being created shall be considered a test app and should not be granted unnecessary permissions or installed anywhere but in repositories used for testing this. The link above provides additional information about working with GitHub Apps.

  1. Create a new empty repository in your organization or on your user which can be used for testing.

    • When creating this repository, initialize the repository so that a default branch with a README.md file is created.
  2. Create a GitHub App in the same organization or user and grant read & write on the repository level permissions contents and issues.

    • Do not add configuration under Identifying and authorizing users as this app is not for users
    • Put any url under Homepage URL as its a required field
    • Deselect active under webhook as no webhook shall be configured for this use-case
    • Keep only on this account selected
  3. Note down the id of the GitHub App as it will be used later.

  4. Create a new private key for this GitHub App and keep it around as it will be used later.

  5. Install the GitHub App in the single test repository that was created further above

2.1 Installation

[!NOTE] CDK for .NET can also be used to test this but examples below has to be translated.

cdk init --language typescript
npm install -s @catnekaise/ghrawel

2.2 AWS CDK

  1. Change the value of defaultAppId in the example below to match your newly created GitHub App.
  2. Synthesis the stack and review what changes will be made before finally deploying the stack into a sandbox account.
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
import { ManagedGitHubApps, GitHubAppSecretsStorage, TokenProviderApi, PermissionLevel } from '@catnekaise/ghrawel';

const app = new cdk.App();
const stack = new cdk.Stack(app, 'TokenProviderStack');

const apps = new ManagedGitHubApps(stack, 'Apps', {
  // Change this value
  defaultAppId: 1234,
  storage: GitHubAppSecretsStorage.PARAMETER_STORE,
});

const tokenProviderApi = new TokenProviderApi(stack, 'TokenProviderApi', {
  apps,
});

const provider = tokenProviderApi.newTokenProvider('example-provider', {
  permissions: {
    contents: PermissionLevel.READ,
    issues: PermissionLevel.WRITE,
  },
});

3. Add Private Key in Parameter Store

When the stack has completed its deployment a secure string parameter will have been initialized at path /catnekaise/github-apps/default in Systems Manager Parameter Store with value placeholder. Go there and enter the full text value of GitHub App Private Key created earlier inside the value field of this parameter.

4. Request a token

The easiest way to see that this is now working and to request an access token is to head over to the API Gateway in the AWS Console. Examples on how to request a token with cURL or GitHub Actions can be seen further down, and more in additional usage docs.

  1. Open the API that was created.
  2. Find the single GET method created and select it.
  3. Click on the Test tab.
  4. Enter the name of the organization or user where the test repository is located in the form field labeled owner.
  5. Enter the name of the test repository in the form field labeled repo.
  6. Click on the Test button.
  7. If everything was done correctly, the response should look similar to below.

5. Use the token

In this example cURL is used to create an issue in your test repository. Either use this example or use a tool of your choice with the same input. After Successfully performing this test there should be a new issue in your test repository.

#!/usr/bin/env bash

OWNER="Enter name of organization or user"
REPO="Enter name of repo"
TOKEN="Enter token"

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Token ${TOKEN}" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "https://api.github.com/repos/${OWNER}/${REPO}/issues" \
  -d '{"title":"Testing using app installation token","body":"Testing using app installation token"}'

6. Test limits of the token

If a GitHub App was created with the example permissions further above and the token provider was configured the with access read or the permission contents, then the token shall be able to read contents in the repository but not write content to the repository.

6.1 Read README.md

The following cURL command will fetch the contents of README.md and print out body the full JSON body and decode the value of content in the body.

#!/usr/bin/env bash

OWNER="Enter name of organization or user"
REPO="Enter name of repo"
MY_TOKEN="Enter token Value"

README_MD=$(curl -s -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Token ${MY_TOKEN}" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "https://api.github.com/repos/${OWNER}/${REPO}/contents/README.md")

echo "$README_MD"

echo "$README_MD" | jq -r '.content' | base64 -d

6.2 Write TEST.md

Again, assuming setup have been done as example above, the following cURL command shall fail to create the file TEST.md in the test repositories default branch.

#!/usr/bin/env bash

OWNER="Enter name of organization or user"
REPO="Enter name of repo"
MTOKEN="Enter token Value"

curl --fail-with-body -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Token ${TOKEN}" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "https://api.github.com/repos/${OWNER}/${REPO}/contents/TEST.md" \
  -d '{"message":"my commit message","content":"SGVsbG8gZnJvbSBjYXRuZWthaXNlCg=="}'

6.3 Create a second token provider

Update the stack by creating a second token provider that is granted write for the contents permission and re-deploy the stack.

tokenProviderApi.newTokenProvider('example-provider-2', {
  permissions: {
    contents: PermissionLevel.WRITE,
  },
});

6.4 Retry Creating TEST.md

After deployment, refresh the page in the web browser where you previously generated a token and find the second GET method available under the path /x/example-provider-2/{owner}/{repo}. Use this token provider to generate a new token for the same repository and re-run the example below. After successfully performing this test there should be a file named TEST.md in the root of your test repository on the default branch.

#!/usr/bin/env bash

OWNER="Enter name of organization or user"
REPO="Enter name of repo"
MY_TOKEN="Enter token Value"

curl --fail-with-body  -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Token ${MY_TOKEN}" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "https://api.github.com/repos/${OWNER}/${REPO}/contents/TEST.md" \
  -d '{"message":"my commit message","content":"SGVsbG8gZnJvbSBjYXRuZWthaXNlCg=="}'

7. Cleanup

Either clean up now or test this out some more using cURL or GitHub Actions before cleaning up. The steps to remove everything that was created.

  1. In GitHub, find the GitHub App and either uninstall, suspend or delete this GitHub App

    • If wanting to test this again at a later date, suspend the installation and next time re-enable and rotate the private key to resume testing.
    • If done, delete the GitHub App
  2. In AWS Console go to CloudFormation and find the Stack that was created and delete it.

Granting Access

Continue reading here for more detailed examples.

declare const principal: iam.IPrincipal;

const role = new iam.Role(stack, 'Role', {
  assumedBy: principal,
});

const provider = tokenProviderApi.newTokenProvider('example-provider', {
  permissions: {
    contents: PermissionLevel.READ,
    issues: PermissionLevel.WRITE,
  },
});

provider.grantExecute(role);

Get Token - cURL

This example shows how to use cURL to sign the request with the AWS IAM credentials. The example assumes the existence of AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN in the environment.

For more usage examples, check out usage docs.

AWS_REGION="eu-west-1"
BASE_URL="https://abcd1234.execute-api.${AWS_REGION}.amazonaws.com/dev"
PROVIDER="example-provider"

RESPONSE=$(curl "${BASE_URL}/x/${PROVIDER}/catnekaise/example-repo" \
	--user "${AWS_ACCESS_KEY_ID}":"${AWS_SECRET_ACCESS_KEY}" \
	-H "x-amz-security-token: ${AWS_SESSION_TOKEN}" \
	--aws-sigv4 "aws:amz:${AWS_REGION}:execute-api")

TOKEN=$(echo "$RESPONSE" | jq -r '.token')

## Use Token...

Get Token - GitHub Actions

For more usage examples in GitHub Actions and a re-usable action, check out GitHub Actions usage docs.

on:
  workflow_dispatch:
jobs:
  job1:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: "Authenticate"
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: "eu-west-1"
          role-to-assume: "arn:aws:iam::111111111111:role/role-name"

      - name: "Get Token"
        uses: catnekaise/ghrawel-token@v1
        id: token
        with:
          base-url: "https://abc123d4.execute-api.eu-west-1.amazonaws.com/dev"
          provider-name: "example-provider"
          aws-region: "eu-west-1"
      - name: "Use Token"
        env:
          TOKEN: "${{ steps.token.outputs.token }}"
        run: |
          echo "Utilize the token"

Customize RestAPI and Lambda

Read more in infrastructure and application.

import { ManagedGitHubApps, TokenProviderApi, TokenProviderLambdaCode, ApplicationArchitecture } from '@catnekaise/ghrawel';

const managedLambda = new lambda.Function(stack, 'Function', {
  code: TokenProviderLambdaCode.dotnet({
    architecture: ApplicationArchitecture.ARM64,
    repository: 'https://github.com/catnekaise/example-fork.git',
    checkout: 'main',
  }),
  handler: 'bootstrap',
  runtime: lambda.Runtime.DOTNET_8,
  // Add name, vpc, etc
});

const managedApi = new apigateway.RestApi(stack, 'TokenProviderApi', {
  // Add domain, vpc, etc
});

const apps = new ManagedGitHubApps(stack, 'Apps', {
  defaultAppId: 1234,
  storage: GitHubAppSecretsStorage.PARAMETER_STORE,
  additionalApps: [
    GitHubApp.create('another-app', 1111),
    GitHubApp.create('yet-another-app', 2222),
  ],
});

const tokenProviderApi = new TokenProviderApi(stack, 'TokenProviderApi', {
  apps,
  lambda: managedLambda,
  api: managedApi,
});

tokenProviderApi.newTokenProvider('example-provider', {
  permissions: {
    contents: PermissionLevel.READ,
  },
});

Next Steps

Here're some additional documentation on various topics:

Contributions

Please open issues if having general feedback or if getting stuck on something that was not covered by any documentation. PR's are welcome for bugfixes. For any feature additions, please open an issue for discussion first.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

catnekaise_ghrawel-0.0.17.tar.gz (247.1 kB view details)

Uploaded Source

Built Distribution

catnekaise.ghrawel-0.0.17-py3-none-any.whl (251.2 kB view details)

Uploaded Python 3

File details

Details for the file catnekaise_ghrawel-0.0.17.tar.gz.

File metadata

  • Download URL: catnekaise_ghrawel-0.0.17.tar.gz
  • Upload date:
  • Size: 247.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.5

File hashes

Hashes for catnekaise_ghrawel-0.0.17.tar.gz
Algorithm Hash digest
SHA256 bf145de50c886edc2feecf6ae52f41a33fc3dc732b305abbd49abccf55050c3b
MD5 2cfbb627834317cac6e8e4a8f22cc98e
BLAKE2b-256 8565a755cbba4ffb97df9a73572d8590a0710c8594234ae32bec4b571f0a7aab

See more details on using hashes here.

File details

Details for the file catnekaise.ghrawel-0.0.17-py3-none-any.whl.

File metadata

File hashes

Hashes for catnekaise.ghrawel-0.0.17-py3-none-any.whl
Algorithm Hash digest
SHA256 d9616c4934dad7c01d0505d7ab5d64914f6a0b24a4bf81df749feead74bd8fc2
MD5 ac73388005a5cf38a500746ac7f51823
BLAKE2b-256 4ed01602a8e2cd830e464058f8e5bfd5104003a5381259cb506033f8780768fd

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page