Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance Bootstrapping Procedure for new Octo STS Backend #248

Open
dnlfdz opened this issue May 6, 2024 · 1 comment
Open

Enhance Bootstrapping Procedure for new Octo STS Backend #248

dnlfdz opened this issue May 6, 2024 · 1 comment

Comments

@dnlfdz
Copy link

dnlfdz commented May 6, 2024
edited
Loading

Background

Today the bootstrapping process requires:

  • Create a GitHub App
  • Generate Private Key
  • Manually Place into KMS

The key import process is currently a bit cumbersome.

Proposed Enhancement

GitHub documentation outlines a way to do it referred to as App Manifest Flow. A GitHub App manifest is a way to share a preconfigured GitHub App registration with other users. The manifest flow allows someone to quickly register a GitHub App.

Other References: https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#create-a-github-app-from-a-manifest

P.S Idea from @fproulx in discussion with @mattmoor and @dnlfdz on 2024-05-06
@fproulx-boostsecurity
Copy link

Yeah the way I see it is that the app is initially in pending setup mode and you visit a page like https://sts.example.com/setup/UUID and you get this URL in the log of the app when it starts so that not anyone can hook to that web flow. Simple web flow allows one with Org owner permissions in their browser to complete the flow ending with the private key in KMS etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dnlfdz @fproulx-boostsecurity