Recently I have been working on designing and automating the deployment of GitHub Runners hosted by an Azure container Apps via Pulumi. One of the challenges is to authenticate with GitHub without the use of a long lived PAT token.
The more secure solution is to authenticate with GitHub App’s private key. The challenge is how to handle the private key in the form of a PEM securely.
Azure Key Vault offers a way:
- The PEM file is uploaded manually to the Key Vault as a Key
- Once in the Key Vault, the PEM file is not downloadable or visible to anyone
- The Key in the Vault can used to sign JWT tokens with the Key
The next challenge is how to access the Key Vault securely from the runners running inside the Container Apps.
Azure Managed Identity comes to the rescue.
During the bootstrap of the runners, we can sign in with Azure Cli with the Managed Identity of the Container App via DefaultAzureCredential, which has the RBAC role of CryptoUser permission, and request the Key Vault to sign a short-lived JWT token. Then we can request an access token from the installation of the GitHub App and finally use the access token to register our runner.
The big Gotcha is that only the System Managed Identity can be used this way, not the User Assigned Identity.
Top comments (0)