Open carlspring opened 1 year ago
motatoes
commented
1 year ago Hi @carlspring thanks for the contribution! You are helping us make this tool better for everyone. This is an interesting one indeed for the case of private github runners. Do you have a specific scenario in mind for this or how it could work? example we could distribute aws-vault along with the tool or install it ahead of using the cli and still map it as environment variables to digger.
carlspring
commented
1 year ago Hi @motatoes ,
Typically, we would have privately hosted Github Action Runners running via our own custom Docker images (available via private ECR, or other private registry). These images would have aws-vault on them and the access keys will be added via the key/values stored in SSM. This infrastructure itself is also Terraformed, which is how these credentials are pre-configured. There is no exporting of credentials via variables or anything leaking. All the Terraform scripts are executed via aws-vault exec.
This will allow users to have a rather secure set up.
Of course, you can set up your credentials as Github secrets, but if you're hosting this on a public runner, there's always a risk of leaking the secrets, if some malicious actor tries fiddling around via a well-crafted pull request.
ZIJ
commented
1 year ago Alternatively (or both perhaps) - Hashicorp Vault. Suggested by Joseph Beadle
A quick win … Hashicorp vault is that supported? It’s easy to integrate as it’s golang also and does azure, AWS and Gcp secret management!
carlspring
commented
1 year ago This should probably be its own issue, just like HashiCorp Vault should be a separate thing as well and there should probably be a parent / epic issue linking this sort of work.
It would be cool, if instead of having to set up Github tokens for the AWS keys, this could be neatly integrated with 99designs/aws-vault. On privately hosted Github Actions Runners, this would make things a lot more secure.