Update Secrets for Repos in Org via Python

We are starting to use GitHub Actions more and more for CICD functionality but for them to connect to AWS we need to have an IAM User (sigh!).

What I’d like to do is have each repo have it’s own IAM User and the access keys assigned to that IAM User are rotated daily for security purposes. We’d then update the secret on that repo with the new creds.

The script to do all this would likely run from AWS Lambda and figured I could use the GitHub API’s to achieve the result but authentication is a massive issue here - I’ve tried using a GitHub App and OAuth App but can’t work out how, using Python, I’d actually be able to get this working. Seems Personal Access Tokens are the easiest way forward but that would have to be tied to someone but if that person leaves then the whole thing would fall over.

Anyone have any recommendations on how I’d get this working successfully/

Thanks in advance :slight_smile:

1 Like

Managing secret rotation is also a struggle we are currently dealing with and we are looking for a good and secure solution to this.

Your approach with regularly changing the secrets from a Lambda sounds interesting but it seems like you are just shifting the problem to the Lambda, since you would introduce a PAT or client secret for the oauth app, which would also need rotation.

I have seen an approach for Azure App Service, where Azure manages the GitHub Actions and secrets in your repo. That is done by an Azure managed oauth app removing that needed rotation from your plate. Haven’t seen anything like this from other cloud providers though.

Yeah, that’s a fair point about then having to rotate the oauth tokens too.

We’ve settled on a different approach. We’ll continue to have 1 IAM User in an AWS account that literally has sts:AssumeRole permissions to a very specific set of IAM Roles and we’ll also enforce External ID’s on the Roles. We’ll then use AssumeRole to assume a different role per repo.

This means that we can rotate the assume role IAM User’ credentials manually on a regular basis (until we find a nice way to automate this) and if someone did happen to obtain the credentials somehow they’d have to know what the role is that they can assume and also what the external ID is for that particular role.

It’s not perfect but I think it’s a good balance between security and usability.