Rotate Personal Access Tokens #24366
-
Our organization uses github service accounts, and those use personal access tokens for a variety of tasks. We have a requirement that all accounts have multifactor authentication (MFA/TOTP) enabled. We also have a requirement that all keys be rotated on a regular basis, and this includes personal access tokens. Is there any way that a personal access token can either be created or regenerated via a personal access token without a password? We can rotate the personal access token using the API using basic authentication, but currently we need both the password and the MFA TOTP which inhibits automation. An example bash script to rotate personal access token is here. ](https://gist.github.com/StevenACoffman/f0c084b428977430d2baacd0263c3563). ) |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 2 replies
-
As far as I know, there is no way to generate new personal access tokens using only a personal access token. I have some Ruby code that I use to create a new personal access token inside scripts that handles 2FA. So the rotation step could be automated, but the TOTP code would still have to be supplied manually via a script, tool, or webpage at the time of rotation. I hope that helps! |
Beta Was this translation helpful? Give feedback.
-
If you use vault you can use this https://github.com/kuperiu/vault-plugin-secrets-github/ |
Beta Was this translation helpful? Give feedback.
-
GitHub could add an API endpoint to rotate a PAT like GitLab has: https://docs.gitlab.com/ee/api/personal_access_tokens.html#rotate-a-personal-access-token |
Beta Was this translation helpful? Give feedback.
-
Is there an API for this? |
Beta Was this translation helpful? Give feedback.
-
So rotation of the PAT is not going to be available under any circumstances? |
Beta Was this translation helpful? Give feedback.
-
you can generate personal access token to achieve this |
Beta Was this translation helpful? Give feedback.
As far as I know, there is no way to generate new personal access tokens using only a personal access token. I have some Ruby code that I use to create a new personal access token inside scripts that handles 2FA. So the rotation step could be automated, but the TOTP code would still have to be supplied manually via a script, tool, or webpage at the time of rotation.
I hope that helps!