awx icon indicating copy to clipboard operation
awx copied to clipboard

Published 20 hours ago verified publisher icon ansible

Source control authentication with GitHub App instead of PAT

Open OneCyrus opened this issue 1 year ago • 12 comments

Please confirm the following

  • [X] I agree to follow this project's code of conduct.
  • [X] I have checked the current issues for duplicates.
  • [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

Currently the authentication against a GitHub repository is done through a personal access token (PAT). This token is always associated to a specific user account which is not that great in an enterpise environment.

For server to server communication GitHub recommends GItHub App which uses token exchange for short lived tokens. It would be great to have this as an alternative to PAT.

https://docs.github.com/en/get-started/quickstart/github-glossary#server-to-server-request https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation

Select the relevant components

  • [ ] UI
  • [ ] API
  • [ ] Docs
  • [ ] Collection
  • [ ] CLI
  • [ ] Other

Steps to reproduce

Add a GitHub repro credential. There's only the option for a PAT.

Current results

a PAT is used which is associated to a specific user

Sugested feature result

Decouple GitHub access from a user account. This allows also to change permission on GitHub to different repos without generating a new PAT for every change.

Additional information

No response

OneCyrus avatar Apr 14 '23 13:04 OneCyrus

Hello,

We are also interested GItHub App compatibility as well, as the usage of PAT does not align well with some of our security compliance requirements.

akingstonlas avatar Aug 11 '23 18:08 akingstonlas

+1 also interested

sbrile avatar Aug 22 '23 14:08 sbrile

+1 Also interested, Personals Access Token are not the recommended way for production usage.

hollebevi avatar Aug 24 '23 07:08 hollebevi

+1 also interested.

chrheg avatar Nov 21 '23 11:11 chrheg

+1 also interested.

bmainard avatar Dec 01 '23 15:12 bmainard

+1 also interested

marymerc avatar Dec 08 '23 15:12 marymerc

+1 also interested

hrgrigorov avatar Feb 16 '24 13:02 hrgrigorov

+1 I am currently looking for a solution to this as well

bobshinabery avatar Feb 22 '24 14:02 bobshinabery

+1 looking for something similar

amalivert avatar Mar 12 '24 13:03 amalivert

I also would like something more native in AWX, but with AWX features I could solve the issue.

First, develop a credential plugin as documented in https://github.com/ansible/awx-custom-credential-plugin-example/tree/master

In AWX there are more examples of Plugins https://github.com/ansible/awx/tree/devel/awx/main/credential_plugins

To build the plugin, Example: Using Python to generate a JWT

Using an installation access token to authenticate as an app installation

In the end, this credential plugin, just return a token, like a PAT.

Second, it is necessary to link the password of the a "Source Control" Credential with the result of the previous plugin, as explained in HashiCorp Vault SSH Secrets Engine

Different secrets, but same concept.

flippipe avatar May 10 '24 16:05 flippipe

I don't have an AWX solution for you all (regrettably). but I put together this quick Golang app that may help in a partial solve. https://github.com/nwaringa/tokenclone.

The (theoretical) pattern is essentially a two step workflow:

  • Run job with auth, clone repos down
  • Run your job with repos existing

Internally we are playing with this.

nwaringa avatar May 22 '24 15:05 nwaringa