英文:
How to authenticate and authorize in GitHub Actions chains of module source calls
问题
I have 3 private repositories (A, B, C) with 2fa. I'm a user in the organization but I don't own it.
我有3个私有存储库(A、B、C),带有两因素身份验证(2FA)。我是组织中的用户,但我不是所有者。
I have the following chain of module calls in Terraform:
我在Terraform中有以下模块调用链:
Repo A --main.tf ---module "client" { source = "github.com/myorg/RepoB//"
Repo B --main.tf ---module "databases" { source = "github.com/myorg/RepoC//"}
When I run "terraform init" locally, I get prompted for the private key for my ssh keyfile for use for each of the repositories, in other words 3 times and everything works.
当我在本地运行“terraform init”时,我会被提示输入SSH密钥文件的私钥,以供每个存储库使用,换句话说,需要输入3次,一切正常。
When I try to execute that chain in GitHub actions, the error message is:
当我尝试在GitHub actions中执行该链时,出现以下错误消息:
Could not download module ... fatal: could not read Username for 'https://github.com'
I then changed all my references to modules from "github.com/myorg/RepoC//" to "git::ssh://myorg@github.com/RepoC//" and installed the ssh keys on the runner first via knowhosts and id_res files and later via sshagent. The error on the GitHub Action runner was:
然后,我将所有对模块的引用从“github.com/myorg/RepoC//”更改为“git::ssh://myorg@github.com/RepoC//”,并首先通过knowhosts和id_res文件以及后来通过sshagent在运行程序上安装了SSH密钥。GitHub Action运行程序上的错误是:
Cloning into '.terraform/modules/client_instance'... │ myorg@github.com: Permission denied (publickey). │ fatal: Could not read from remote repository.
When I attempted to run that locally, I didn't get prompted and it just failed with permission denied (public key)
当我尝试在本地运行时,没有提示我,只是出现了权限被拒绝(公钥)的错误。
My questions are:
我的问题是:
- what is the correct or preferred way to refer to modules in other repositories, even when they are in the same organization.
- 引用其他存储库中的模块的正确或首选方式是什么,即使它们在同一个组织中也是如此。
- how should the handling of ssh keys be accomplished. I tried deployment keys but may have misunderstood their use. When I set up deployment keys, I gave the repo A the private portion of the key and the repo B the public portion of the key assuming that the repo B will want to know whether repo A is authorized. That failed.
- 如何处理SSH密钥。我尝试了部署密钥,但可能误解了它们的用途。当我设置部署密钥时,我将私钥的部分分配给了Repo A,将公钥的部分分配给了Repo B,假设Repo B想要知道Repo A是否被授权。但是这种方法失败了。
英文:
I have 3 private repositories (A, B, C) with 2fa. I'm a user in the organization but I don't own it.
I have the following chain of module calls in Terraform:
Repo A
--main.tf
---module "client" { source = "github.com/myorg/RepoB//"
Repo B
--main.tf
---module "databases" { source = "github.com/myorg/RepoC//"
When I run "terraform init" locally, I get prompted for the private key for my ssh keyfile for use for each of the repositories, in other words 3 times and everything works.
When I try to execute that chain in GitHub actions, the error message is:
Could not download module ... fatal: could not read Username for 'https://github.com'
I then changed all my references to modules from "github.com/myorg/RepoC//" to "git::ssh://myorg@github.com/RepoC//" and installed the ssh keys on the runner first via knowhosts and id_res files and later via sshagent. The error on the GitHub Action runner was:
Cloning into '.terraform/modules/client_instance'...
│ myorg@github.com: Permission denied (publickey).
│ fatal: Could not read from remote repository.
When I attempted to run that locally, I didn't get prompted and it just failed with permission denied (public key)
My questions are:
- what is the correct or preferred way to refer to modules in other repositories, even when they are in the same organization.
- how should the handling of ssh keys be accomplished. I tried deployment keys but may have misunderstood their use. When I set up deployment keys, I gave the repo A the private portion of the key and the repo B the public portion of the key assuming that the repo B will want to know whether repo A is authorized. That failed.
答案1
得分: 0
基于Terraform / Module Sources / GitHub,你应该使用一个SSH URL
source = "git@github.com:myorg/RepoB.git"
(结尾的'/'应该不需要)
关于SSH密钥和GitHub Actions,你可以:
- 如果还没有的话,生成一个SSH密钥对。
- 将公钥添加到你的GitHub账户设置中。
- 在你的GitHub Actions工作流中使用
webfactory/ssh-agentaction来设置SSH代理与私钥,私钥应存储为GitHub仓库设置中的秘密。
以下是更新后的GitHub Actions示例工作流配置:
name: Terraform
on:
push:
branches:
- main
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up SSH agent
uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1.3.2
- name: Terraform Init
run: terraform init
用你的私钥所在的秘密替换SSH_PRIVATE_KEY。
英文:
Based on Terraform / Module Sources / GitHub, you should use an SSH URL
source = "git@github.com:myorg/RepoB.git"
(Trailing '/' should not be needed)
Now, regarding the SSH keys and GitHub Actions, you can:
- Generate an SSH key pair if you haven't already.
- Add the public key to your GitHub account settings.
- Use the
webfactory/ssh-agentaction in your GitHub Actions workflow to set up the SSH agent with the private key, which should be stored as a secret in your GitHub repository settings.
Here's the updated sample workflow configuration for your GitHub Actions:
name: Terraform
on:
push:
branches:
- main
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up SSH agent
uses: webfactory/ssh-agent@v0.5.4
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1.3.2
- name: Terraform Init
run: terraform init
Replace SSH_PRIVATE_KEY with the name of the secret containing your private key.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论