and employing them securely
At Archer, we have been moving credentials into AWS Systems Manager (SSM) Parameter Store and AWS Secrets Manager. One of the more interesting credentials is an SSH key that is used to clone a GitHub repository into an environment that has IAM roles available (E.g., AWS Lambda, Fargate, EC2).
We’d like to treat this SSH private key as a secret that is stored securely in SSM Parameter Store, with access controlled by AWS IAM, and only retrieve it briefly when it is needed to be used. We don’t even want to store it on disk when it is used, no matter how temporarily.
After a number of design and test iterations with Buddy, here is one of the approaches we ended up with. This is one I like for how clean it is, but may not be what ends up going into the final code.
This solution assumes that you are using bash to run your Git commands, but could be converted to other languages if needed.
Using The Solution
Here is the bash function that retrieves the SSH private key from SSM
Parameter Store, adds it to a temporary(!) ssh-agent
process, and runs
the desired git
subcommand using the same temporary ssh-agent
process:
git-with-ssm-key()
{
ssm_key="$1"; shift
ssh-agent bash -o pipefail -c '
if aws ssm get-parameter \
--with-decryption \
--name "'$ssm_key'" \
--output text \
--query Parameter.Value |
ssh-add -q -
then
git "$@"
else
echo >&2 "ERROR: Failed to get or add key: '$ssm_key'"
exit 1
fi
' bash "$@"
}
Here is a sample of how the above bash function might be used to clone a repository using a Git SSH private key stored in SSM Parameter Store under the key “/githubkeys/gitreader”:
git-with-ssm-key /githubsshkeys/gitreader clone git@github.com:alestic/myprivaterepo.git
Other git
subcommands can be run the same way. The SSH private key
is only kept in memory and only during the execution of the git
command.