Skip to main content

Standalone (no-dependencies beyond Python) script fetches SSH keys of GitHub repository contributors and generates SOPS-compatible SSH key files.

Project description

github-to-sops integrates SOPS with github team/user identities. Use sops + github instead of having to operate Hashicorp Vault, AWS Secret Manager or just stuffing everything into github action secrets, or fighting with GPG.

Why?

I needed github-to-sops to make SOPS easier to use for my https://deepstructure.io and https://chatcraft.org projects.

This makes it easy to setup SOPS as a lightweight gitops alternative to AWS Secrets Manager, AWS KMS, Hashicorp Vault.

SOPS is helpful to avoid the push-and-pray (https://dagger.io/ came up with this term and solution for it) pattern where all secrets for github actions are stored in Github Secrets such that nobody can repro stuff locally. With sops one can give github actions a single age private key and share all the development keys with rest of team on equal footing with CI/CD env.

Requirements

Installation

The latest version of github-to-sops can be cloned locally or installed using pip:

pip install github-to-sops

On Mac or Linux you can install sops, ssh-to-age using:

github-to-sops install-binaries

Implementation

This generates a nice .sops.yaml file with comments indicating where the keys came from to make key rotation easier.

Idea for this originated in https://github.com/tarasglek/chatcraft.org/pull/319 after I got sick of devising a secure secret distribution scheme for every small project.

Contributions Welcome

  • Tests
  • Binary build for python-less environments
  • Would be nice to add is ACLs and an integrity check to keys being used.

Examples:

I wrote an indepth explanation and screencasts on my blog post introducing github-to-sops.

Env vars:

  • GITHUB_TOKEN: optional github token which helps avoid rate limiting.

I tried to make the code work without github tokens, but github requires them for private repos and does aggressive rate-limiting without them. See github docs on how to obtain GITHUB_TOKEN https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens

Example workflow for secrets with github

Import all public keys for contributors from github project

./github-to-sops import-keys  > .sops.yaml

of if your repo isn't published to github or you aren't working inside a git checkout

./github-to-sops import-keys  --github-url https://github.com/tarasglek/chatcraft.org

lets see

cat .sops.yaml
creation_rules:
  - key_groups:
      - age:
        - age19j4d6v9j7rx5fs629fu387qz4zmlpsqjexa4s08tkfrrmfdl5cwqjlaupd # humphd
        - age13runq29jhy9kfpaegczrzttykerswh0qprq59msgd754yermtfmsa3hwg2 # tarasglek

Put a sample secret in yaml

echo -e "secrets:\n  SECRET_KEY: dontlook" | sops --input-type yaml --output-type yaml  -e /dev/stdin > secrets.enc.yaml

Lets take a peek

head -n 9 secrets.enc.yaml
secrets:
    SECRET_KEY: ENC[AES256_GCM,data:MKKR6B0h1iA=,iv:KegjC62NQxich1dtodVF3aVnchf/fB+KQbtETh+4CaY=,tag:2+5mk4YMKKxLqaCOpZVNSA==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age19j4d6v9j7rx5fs629fu387qz4zmlpsqjexa4s08tkfrrmfdl5cwqjlaupd

^ is safe to commit!

Decrypting secrets using ssh keys

export SOPS_AGE_KEY=$(ssh-to-age -private-key < ~/.ssh/id_ed25519)

Lets extract our secret in a way that's useful for automation

sops --extract '["secrets"]["SECRET_KEY"]' -d secrets.env.yaml
dontlook

sops -i secrets.env.yaml is useful for interactive editing.

Bulk-updating secrets+keys when someone is added/removed from project

github-to-sops refresh-secrets

Usage:

./github-to-sops -h
usage: github-to-sops [-h] {import-keys,refresh-secrets} ...

Manage GitHub SSH keys and generate SOPS-compatible SSH key files.

options:
  -h, --help            show this help message and exit

Commands:
  {import-keys,refresh-secrets}
    import-keys         Import SSH keys of GitHub repository contributors or specified github users and output that info into a useful format like sops or ssh authorized_keys
    refresh-secrets     Find all .sops.yaml files in the repo that are managed by git and run `import-keys --inplace-edit .sops.yaml` on them.

Example invocations:
- `./github-to-sops import-keys --github-url https://github.com/tarasglek/chatcraft.org --key-types ssh-ed25519 --format sops`
- `./github-to-sops import-keys --github-url https://github.com/tarasglek/chatcraft.org --format authorized_keys`
- `./github-to-sops import-keys --local-github-checkout . --format sops --known-hosts ~/.ssh/known_hosts --key-types ssh-ed25519`
- `./github-to-sops refresh-secrets`

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

github_to_sops-1.3.1.tar.gz (13.4 kB view details)

Uploaded Source

Built Distribution

github_to_sops-1.3.1-py3-none-any.whl (12.1 kB view details)

Uploaded Python 3

File details

Details for the file github_to_sops-1.3.1.tar.gz.

File metadata

  • Download URL: github_to_sops-1.3.1.tar.gz
  • Upload date:
  • Size: 13.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for github_to_sops-1.3.1.tar.gz
Algorithm Hash digest
SHA256 13ba182c1c87119486df40489a11c6cd53b16a2883ead2b96c045dd48882b08a
MD5 beeb9e86a80262f49520d1e6ff0b3da3
BLAKE2b-256 0d418d7746d6d41eac75f1e38075264e2dbc8f15ab8e65a373ad1a3aed7ae548

See more details on using hashes here.

File details

Details for the file github_to_sops-1.3.1-py3-none-any.whl.

File metadata

File hashes

Hashes for github_to_sops-1.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 9b4a256c643d974148cca609a24bb3136bd675db0d1eb248b0b0a046762c1204
MD5 c1abf49ce7558925844eecf4577be673
BLAKE2b-256 4a58fe2b13e4fc9ce3b202e56a1727aa4d7334e4c071407b99670baa4daa953a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page