Skip to main content

Use HashiCorp Vault to manage a GitHub App's private RSA key.

Project description

HashiCorp Vault for GitHub Apps

Python library for using HashiCorp Vault's Transit Engine to manage a GitHub App's private RSA key. More precisely, the library provides the following pieces of functionality.

  • Perform initial one-way import of the App's private key into Vault
  • Issue (short-lived) GitHub Access Token
    • Have Vault sign a JWT using the App's private key
    • Exchange that JWT for a GitHub Access Token

Conceptually Vault here fills the role of an HSM or a Cloud KMS.

See Authenticating as a GitHub App installation (GitHub Docs) for context.

The library is also tested against OpenBao.

Installation

pip install hv4gha

Usage

In addition to the examples below see also the hv4gha/entry.py docstrings.

Import App key

from hv4gha import import_app_key

with open("/path/to/github-app.private-key.pem", "r") as akh:
    my_app_key = akh.read()

response = import_app_key(
    pem_key=my_app_key,
    key_name="my-github-app",
    vault_addr="https://vault.example.com:8200",
    vault_token="...",
)

key_version = response["key_version"]

Issue Access Token

from hv4gha import issue_access_token

response = issue_access_token(
    key_name="my-github-app",
    vault_addr="https://vault.example.com:8200",
    vault_token="...",
    app_client_id="Iv1.bc01362e9d72c72a",
    account="andreaso",
)

access_token = response["access_token"]
token_expiry = response["expires_at"]

Issue scoped Access Token

from hv4gha import issue_access_token

response = issue_access_token(
    key_name="my-github-app",
    vault_addr="https://vault.example.com:8200",
    vault_token="...",
    app_client_id="Iv1.bc01362e9d72c72a",
    account="andreaso",
    permissions={"contents": "read"},
    repositories=["world-domination"],
)

access_token = response["access_token"]
token_expiry = response["expires_at"]

Vault requirements

Somewhat simplified, this is what's required Vault wise.

Transit secrets engine

First of all, the Transit Engine needs to be enabled.

vault secrets enable transit

Here we are sticking to the default transit/ mount point.

Import policy

path "transit/wrapping_key" {
  capabilities = ["read"]
}

path "transit/keys/my-github-app" {
  capabilities = ["read"]
}

path "transit/keys/my-github-app/import" {
  capabilities = ["update"]
}

path "transit/keys/my-github-app/import_version" {
  capabilities = ["update"]
}

Issue policy

path "transit/sign/my-github-app" {
  capabilities = ["update"]
}

Vault Token

For obtaining the initial Vault Token, see the hvac Python library and its Auth Methods documentation.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hv4gha-0.4.1.tar.gz (9.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

hv4gha-0.4.1-py3-none-any.whl (10.5 kB view details)

Uploaded Python 3

File details

Details for the file hv4gha-0.4.1.tar.gz.

File metadata

  • Download URL: hv4gha-0.4.1.tar.gz
  • Upload date:
  • Size: 9.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for hv4gha-0.4.1.tar.gz
Algorithm Hash digest
SHA256 decedfa7e5db19d2f884537ef1a8037a953536fef5cd646f187517aab9e09e1d
MD5 f0a0f230b8842b67452f8cd0ea4965a0
BLAKE2b-256 c6adcbf7ae6a2b751e2f919a8e72b28bc863756acd3018e2eb065b289b8acc28

See more details on using hashes here.

Provenance

The following attestation bundles were made for hv4gha-0.4.1.tar.gz:

Publisher: publish.yaml on andreaso/hv4gha

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file hv4gha-0.4.1-py3-none-any.whl.

File metadata

  • Download URL: hv4gha-0.4.1-py3-none-any.whl
  • Upload date:
  • Size: 10.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for hv4gha-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a8814dfd60ba2d237719ac037578955e530d6a048cb652d99ef20f6c3070d52f
MD5 5eb46f966fb119d9531387c7e6f0db65
BLAKE2b-256 abbc93f4c0b193d74d1e576afa432574b5439397472552b5320610fb9c57ecaa

See more details on using hashes here.

Provenance

The following attestation bundles were made for hv4gha-0.4.1-py3-none-any.whl:

Publisher: publish.yaml on andreaso/hv4gha

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page