Use HashiCorp Vault to manage a GitHub App's private RSA key.
Project description
HashiCorp Vault for GitHub Apps
Python library for using HashiCorp Vault's Transit Engine to manage a GitHub App's private RSA key. More precisely, the library provides the following pieces of functionality.
- Perform initial import of the App's private key into Vault
- Have Vault sign the needed JWT and then request a GitHub Access Token
See Authenticating as a GitHub App installation (GitHub Docs) for context.
Installation
pip install hv4gha
Usage
In addition to the examples below see also the hv4gha/entry.py docstrings.
Import App key
from hv4gha import import_app_key
with open("/path/to/github-app.private-key.pem", "r") as akh:
my_app_key = akh.read()
import_app_key(
pem_key=my_app_key,
key_name="my-github-app",
vault_addr="https://vault.example.com:8200",
vault_token="...",
)
Issue Access Token
from hv4gha import issue_access_token
response = issue_access_token(
key_name="my-github-app",
vault_addr="https://vault.example.com:8200",
vault_token="...",
app_id=368468,
account="andreaso",
)
access_token = response["access_token"]
token_expiry = response["expires_at"]
Issue scoped Access Token
from hv4gha import issue_access_token
response = issue_access_token(
key_name="my-github-app",
vault_addr="https://vault.example.com:8200",
vault_token="...",
app_id=368468,
account="andreaso",
permissions={"contents": "read"},
repositories=["world-domination"],
)
access_token = response["access_token"]
token_expiry = response["expires_at"]
Vault requirements
Somewhat simplified, this is what's required Vault wise.
Transit secrets engine
First of all, the Transit Engine needs to be enabled.
vault secrets enable transit
Here we are sticking to the default transit/ mount point.
Import policy
path "transit/wrapping_key" {
capabilities = ["read"]
}
path "transit/keys/my-github-app/import" {
capabilities = ["update"]
}
Issue policy
path "transit/sign/my-github-app" {
capabilities = ["update"]
}
Vault Token
For obtaining the initial Vault Token, see the hvac Python library and its Auth Methods documentation.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file hv4gha-0.2.3.tar.gz.
File metadata
- Download URL: hv4gha-0.2.3.tar.gz
- Upload date:
- Size: 8.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.2 CPython/3.11.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | de65bc15557a975357bf7a6916db0daff7fd98930101c683236ce01c36b3b677 |
|
| MD5 | ece7369fbc1b2e5c373a9b6ef3ee18ee |
|
| BLAKE2b-256 | bce36a73f8b9e4f1067e80f9ce0636a2f8bb9f93d8f38e3b32e60f3c87d1da4c |
File details
Details for the file hv4gha-0.2.3-py3-none-any.whl.
File metadata
- Download URL: hv4gha-0.2.3-py3-none-any.whl
- Upload date:
- Size: 9.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/4.0.2 CPython/3.11.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6b37b09d9beafbff368c30f780d919abfd5be5abef17f9f65d34d52d53fd4421 |
|
| MD5 | c502611265d839e29b775f9d0bbf05aa |
|
| BLAKE2b-256 | d4ff5ef32fb2ba9393ebab2f8d6a897a47732a9e3fb03e9bba4d6bcfdf01ad96 |
