-
-
Save a-h/02b883108d8322f7d4aedee55910890c to your computer and use it in GitHub Desktop.
| version: 0.2 | |
| env: | |
| parameter-store: | |
| build_ssh_key: "build_ssh_key" | |
| phases: | |
| install: | |
| commands: | |
| - mkdir -p ~/.ssh | |
| - echo "$build_ssh_key" > ~/.ssh/id_rsa | |
| - chmod 600 ~/.ssh/id_rsa | |
| - ssh-keygen -F github.com || ssh-keyscan github.com >>~/.ssh/known_hosts | |
| - git config --global url."git@github.com:".insteadOf "https://github.com/" | |
| - mkdir -p ${GOPATH}/src/github.com/a-h/project | |
| - cp -r $CODEBUILD_SRC_DIR/* $GOPATH/src/github.com/a-h/project | |
| - cd $GOPATH/src/github.com/a-h/project | |
| - make get | |
| build: | |
| commands: | |
| - cd $GOPATH/src/github.com/a-h/project | |
| - make test | |
| - make build |
But do you need the private or the public key?
Isn't it necessary to use the public key?
If that's the case, why do you store the public key in id_rsa and not in id_rsa.pub?
You need the private key to authenticate against private repos. Everyone's public key is available from Github already at e.g. https://github.com/EloyTolosa.keys so it wouldn't be much use as a way to restrict access to repos! 😁
The thing that's authenticating you can use your public key to verify that you have access to the private key, so in this case, Github has the public key (NOT the private key) and the CI user needs to prove that they have the private key.
It's been a few years since I looked at this (I'm use Github Actions for CI at the moment), but looking at this code, I'd say the process around it should be to put the key in SSM parameter store first, then update this code to use the AWS CLI to retrieve the key from the SSM parameter store, (making sure you've given the build agent's role permission to retrieve it).
Super useful, thanks! 🙌