github-rulla-nycklar

• container image: quay.io/shelman/github-rulla-nycklar
• example bot repo used to schedule using github actions

Problem statement

In a World of cloud we need secrets in a form of service account sometimes. They also need to be rotated to improve security to lower the risk if a secret gets feet.

In this case we are working with the integration inbetween google cloud platform and github.com. We like service accounts and we like to use them in github actions as secrets. To now rotate the secrets and keep things secure, we don't want to manually update the secrets.

Solution

To support the problem we have. We have chosen to rotate the secrets using this fancy program. This program them uploads the new version on the secret to a known secret name that is the same in every repo this program is managing. This secret is a google service account, using this service account you have the option to get secrets directly from google secret manger link

limitations.

• one repo means one service account in google cloud.
• the name of the service account secret will be the same in all repos
• only one key is handled and that is the service account.

Usage

example

./_bin/github-rulla-nycklar \
    --github-key-file="<name of key>.private-key.pem" \
    --github-app-id=<id> \
    --github-install-id=<id> \
    --owner=<org> \
    --repo-to-email="test-foo=github-test-foo@<project id>.iam.gserviceaccount.com" \
    --repo-to-email="test-bar=github-test-bar@<project id>.iam.gserviceaccount.com" \
    --secret-name="SuperHemligSecret"

Installing

The way the example runs the tool is to run it in and github action. To do this you need to do the following.

Install it as a github app in the github org.

• Permission that needs to be assigned
• Get Github AppId, InstallID
• Generate a github key file (the pem file)

The app requires these permissions:

Permission	Access
Actions	Read-only
Contents	Read-only
Metadata	Read-only
Secrets	Read & write

Get github install id

To find the install id on github go to Org > Settings > Installed Github Apps > AppName > Configure in the URL you can see the install ID https://github.com/organizations/<ORG>/settings/installations/<install id>

Create google service account key.

The service account can act in multiple google project. To allow this the service account need to have Service Account Key Admin to be allowed to create/delete/list service account keys.

• Create service account
• Get Service Account key
• Assign Service Account Key Admin in all projects that need to have keys rotated

Create a github repo that can host the github action

doing the actual setup to make it run. At this point i expect that we have the following

• google service account
• github AppId
• github InstallID
• github app private key

You can find a example github action here here using this fill in the information and place it in .github/workflows/

Create Github secrets

In project were we run the github action we need secrets. Some secrets needs to be base64 encoded see list.

NOTE. to base64 encode a file and copy to osx clipboard cat credentials.json | base64 | pbcopy

• Secret name GCP_PROJECT_ID string of project id were the service account lives
• Secret name ORG string the github org that it's running in
• Secret name INSTALL_ID string the github app install id
• Secret name APP_ID string the github app id
• Secret name GCP_SA_KEY base64 encoded content of the service account json
• Secret name PRIVATE_KEY_PEM base64 encoded content of the github private key pem

Dev setup

$ go mod vendor
$ go mod download