Use HashiCorp Vault to manage a GitHub App's private RSA key.

These details have not been verified by PyPI

Project links

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Project description

HashiCorp Vault for GitHub Apps

Python library for using HashiCorp Vault's Transit Engine to manage a GitHub App's private RSA key. More precisely, the library provides the following pieces of functionality.

Perform initial import of the App's private key into Vault
Have Vault sign the needed JWT and then request a GitHub Access Token

See Authenticating as a GitHub App installation (GitHub Docs) for context.

Installation

pip install hv4gha

Usage

In addition to the examples below see also the hv4gha/entry.py docstrings.

Import App key

from hv4gha import import_app_key

with open("/path/to/github-app.private-key.pem", "r") as akh:
    my_app_key = akh.read()

import_app_key(
    pem_key=my_app_key,
    key_name="my-github-app",
    vault_addr="https://vault.example.com:8200",
    vault_token="...",
)

Issue Access Token

from hv4gha import issue_access_token

response = issue_access_token(
    key_name="my-github-app",
    vault_addr="https://vault.example.com:8200",
    vault_token="...",
    app_id=368468,
    account="andreaso",
)

access_token = response["access_token"]
token_expiry = response["expires_at"]

Issue scoped Access Token

from hv4gha import issue_access_token

response = issue_access_token(
    key_name="my-github-app",
    vault_addr="https://vault.example.com:8200",
    vault_token="...",
    app_id=368468,
    account="andreaso",
    permissions={"contents": "read"},
    repositories=["world-domination"],
)

access_token = response["access_token"]
token_expiry = response["expires_at"]

Vault requirements

Somewhat simplified, this is what's required Vault wise.

Transit secrets engine

First of all, the Transit Engine needs to be enabled.

vault secrets enable transit

Here we are sticking to the default transit/ mount point.

Import policy

path "transit/wrapping_key" {
  capabilities = ["read"]
}

path "transit/keys/my-github-app/import" {
  capabilities = ["update"]
}

Issue policy

path "transit/sign/my-github-app" {
  capabilities = ["update"]
}

Vault Token

For obtaining the initial Vault Token, see the hvac Python library and its Auth Methods documentation.

Project details

These details have not been verified by PyPI

Project links

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

0.2.3

Nov 4, 2023

0.2.2

Sep 22, 2023

0.2.1

Sep 6, 2023

0.2.0

Aug 13, 2023

0.1.1

Aug 2, 2023

0.1.0

Jul 30, 2023

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hv4gha-0.2.3.tar.gz (8.5 kB view hashes)

Uploaded Nov 4, 2023 Source

Built Distribution

hv4gha-0.2.3-py3-none-any.whl (9.9 kB view hashes)

Uploaded Nov 4, 2023 Python 3

Hashes for hv4gha-0.2.3.tar.gz

Hashes for hv4gha-0.2.3.tar.gz
Algorithm	Hash digest
SHA256	`de65bc15557a975357bf7a6916db0daff7fd98930101c683236ce01c36b3b677`
MD5	`ece7369fbc1b2e5c373a9b6ef3ee18ee`
BLAKE2b-256	`bce36a73f8b9e4f1067e80f9ce0636a2f8bb9f93d8f38e3b32e60f3c87d1da4c`

Hashes for hv4gha-0.2.3-py3-none-any.whl

Hashes for hv4gha-0.2.3-py3-none-any.whl
Algorithm	Hash digest
SHA256	`6b37b09d9beafbff368c30f780d919abfd5be5abef17f9f65d34d52d53fd4421`
MD5	`c502611265d839e29b775f9d0bbf05aa`
BLAKE2b-256	`d4ff5ef32fb2ba9393ebab2f8d6a897a47732a9e3fb03e9bba4d6bcfdf01ad96`