Support for Github App for server-to-server token

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.

Other

13.89k stars 3.4k forks source link

Support for Github App for server-to-server token #10840

Open itsmeabhijeet opened 3 years ago

itsmeabhijeet commented 3 years ago

ISSUE TYPE

Please add feature to support Github App for server token as described here https://docs.github.com/en/developers/overview/managing-deploy-keys#server-to-server-tokens

Currently we use deploy keys to integrate Github with awx but this concept fails in case of Ansible playbook that depends on multiple ansible roles. As these roles are separate repo, individual deploy key fails to checkout other repo.

SUMMARY

wenottingham commented 3 years ago

Assumption: this is for roles that are pulled from requirements.yml?

If so, there's not much we can do from the AWX side - even if we could pass a token, it would be one token that would be applied to both the initial project checkout and all role (or collection) checkouts - passing a single token that is for a repo with roles would then fail as soon as there are multiple roles in different repos.

Ideally, the galaxy requirement format would allow specifying authentication in the requirements.yml that ansible-galaxy would use.

itsmeabhijeet commented 3 years ago

hello @wenottingham , yes your assumption is correct. Our playbooks are dependent on multiple roles which are pulled from requirements.yml. They all happen to be not only galaxy roles but also our own ansible roles which are separate repos. I was hoping if in future the server-server token as mentioned here can be implemented then it would be a more secure and appropriate way where I can use Github App ID as deploy keys in github and the corresponding private key as a credential secret in awx ( may be of type github app ??).

Current workaround : I am currently using my personal PAT in awx to make ansible template work. Although it is not a good way but just as workaround.

Please suggest or let me know if there can be any other way better than using github PAT.

OneCyrus commented 1 year ago

just wanted to add my vote for GitHub App. This would help a lot to get rid of personal accounts as service accounts. GitHub App support for all git connections would be a perfect solution.

larsskj commented 1 year ago

Couldn't agree more: Using a personal ID for a system like AWX is a very wrong and insecure approach - adding support for a proper Github App would be much better.

Maybe I should add: We're running on Github Enterprise SaaS connected as Enterprise Managed Users, so we cannot create PATs at all. In principle this prevents us from implementing AWX in our organization.