AWS CodeBuild get Github OAuth token

Question

My use-case: I have private GitHub repository and private GitHub NPM registry for dependencies. Repository imports dependencies from private registries. For GitHub actions CI pipeline, GitHub generates a temporary token, which could be used to access this registry; in GH actions I can set up the private registry for Docker build using this token:

RUN npm config set @orgname:registry https://npm.pkg.github.com && \
  echo "//npm.pkg.github.com/:_authToken=${NPM_REGISTRY_TOKEN}" >> $HOME/.npmrc && \
  npm ci

GH actions workflow step:

      - name: Docker build
        run: docker build --build-arg NPM_REGISTRY_TOKEN=${{ secrets.GITHUB_TOKEN }} .

I want to build the same Docker image in AWS CodeBuild. I created GitHub connection via OAuth app and configured build spec, but I can't find how to get GitHub OAuth token from this connection.

But I don't want to use personal access token for this because it gives too broad access to unrelated resources (repository and registry are located in GH org, PAT gives access to my personal GH account).

Is it possible to access some temporary GH token from CodeBuild environment?

score 1 · Answer 1 · answered Mar 16 '23 at 12:06

1

A PAT gives indeed a broad access.
But a dedicated fine-grained access token should be more limited and targeted: you can select which repositories you want the token to access.

If AWS CodeBuild does not expose a temporary token as GitHub Actions does, using such a token could be a good workaround.

That would corroborate what the documentation "Access your source provider in CodeBuild" suggests.

answered Mar 16 '23 at 12:06

VonC

1,262,500
529
4,410
5,250

Thank you. Unfortunately, I was not managed to setup fine-grained PAT with access to organization NPM or Docker registries - in GitHub packages are related to organization, not to repository, so I can't choose packages access when configuring this token. – Kirill Mar 16 '23 at 16:19
@Kirill Then would an SSH access be a valid alternative? After all, [starting today, you can limit an SSH key to *one* organization](https://github.blog/changelog/2023-03-16-ssh-certificate-requirement-update/). – VonC Mar 16 '23 at 21:55
SSH doesn't work for me, because I need HTTPS access to GitHub NPM and Docker registries (packages) https://docs.github.com/en/packages/learn-github-packages – Kirill Mar 20 '23 at 06:53
@Kirill OK. And I suppose you cannot easily combine both type of credentials. – VonC Mar 20 '23 at 07:04
Yes, I need to expose some token to AWS pipeline, where I want to give access only to organization objects (repositories, packages), not to personal. – Kirill Mar 20 '23 at 07:49

score 0 · Answer 2 · answered Mar 23 '23 at 10:45

Store your GitHub OAuth token in the AWS Systems Manager Parameter Store as a secure string parameter.
Access the parameter via assigning IAM role to the CodeBuild project.
Fetch the GitHub OAuth token from the store and use it in the build process as below:

phases:
  pre_build:
    commands:
      - aws ssm get-parameter --name "/my/parameter/store/github/token" --with-decryption --query "Parameter.Value" --output text > github_token.txt
      - npm config set @orgname:registry https://npm.pkg.github.com
      - echo "//npm.pkg.github.com/:_authToken=$(cat github_token.txt)" >> $HOME/.npmrc
  build:
    commands:
      - npm ci
      - docker build --build-arg NPM_REGISTRY_TOKEN=$(cat github_token.txt) .

But how can I get OAuth token from GitHub on push events? – Kirill Mar 24 '23 at 10:31 — Kirill, Mar 24 '23 at 10:31

AWS CodeBuild get Github OAuth token

2 Answers2