Adding AWS Secrets to GitHub

[00:00:00]
>> Erik Reinert: The next steps are really going to be building out the pipeline, but at the bare minimum, this is all you need to get started. Just a couple of lines and running the make command that you're already running locally. While this is running in the background, the next thing we want to do is, or actually I'm curious if anyone can guess right, we have the build image, but we don't have the push.

[00:00:31]
We wanna add the push. But what is something that GitHub Actions may need that you also need to push to Amazon?
>> Speaker 2: CLI.
>> Erik Reinert: CLI and-
>> Speaker 3: Secrets.
>> Erik Reinert: Secrets. Exactly. Yes. So what we want to do now is we want to solve the problem. You can see here my pipeline was successful.

[00:00:53]
So if I go back to my pr, I have a green check mark. Awesome. We're all good to go. But I'm not pushing yet and I want to make sure that I can. So what we want to do is we want to create a user in IAM that the GitHub Actions Runner will use to authenticate with Amazon and pull and push and do everything that it needs to with Amazon.

[00:01:16]
So what I'm going to do is I'm going to log back into Amazon, I'm going to go to the console
>> Erik Reinert: And I'm going to go to the IAM section here. So once I get to the IAM section, I'm going to click on Users again and I'm going to create a user.

[00:01:35]
I'm going to call this Fem FD service GitHub Actions, just so that I know that it's a GitHub Actions user. Then I'm going to click the next button. I'm going to click Attach Policies directly. Now, before the next thing I do, I want you to be aware that you do not have to do it this way.

[00:02:02]
I am going to be lazy and give the key access to my entire Amazon account with every resource inside of it. Now, that does mean that if my CI was to be exploited in any way, shape or form and they got these credentials, they could literally do whatever they wanted in my Amazon account as a future thing that you can do if you want, you can set up more granular permissions to make it.

[00:02:27]
So I only want you to pull or effectively whatever you're going to do in CI, put the permissions in there to make it so that those are the only things that this key can do for now. To just unblock us and not have to worry about this, I'm just going to do.

[00:02:43]
But as I said before, with the user that you've created Just be aware that these are root level credentials and stuff like that. I'm going to click that. I'm going to hit next and then I'm going to click Create User. Bam. There we go. I have created an entire new user.

[00:02:59]
Now, just like we created the service or the credentials before for the local access if you needed to, right? We're going to click on that user, we're going to go to Security credentials and then in here I'm going to create an access key. So I'm going to click Create Access key.

[00:03:21]
I'm going to click on Command line interface because we want to use it the exact same way that we do locally. Click. I understand. Click next and then click Create Access key. And there we go. Now I have my access key and my secret access key. So what I'm going to do really quickly is I'm just going to download the CSV just so that I have it.

[00:03:44]
Now what we want to do is we actually want to go to GitHub Actions and add these as secret values to our pipeline. So what we're going to do is we're going to go back to GitHub Actions, we're going to go to Settings or not GitHub Actions, but GitHub, we're going to go to Settings, we're going to click on Secrets and variables and then click Actions.

[00:04:06]
Now, what you'll see is you'll see that I already have an access key ID or an AWS Secret access key and kind of spoilers for in the future and also a goose DB string, right? So what I want you to do is I want you to create two new variables or two new secrets.

[00:04:26]
Access Key ID and Secret access key in this repository. And so to do that you'll just grab the value or the key that you want, click New Repository Secret, paste in the name and then paste in the value and click Add Secret. So I'm going to do that really quickly off screen so I don't dox myself and you take care of it now.

[00:04:46]
So the next thing I want you to add is I want you to go to the Variables tab and if you notice I also have variables that exist in my repo. However, you'll notice that these variables I can read. So there's two ways of managing configuration values in GitHub Actions.

[00:05:06]
The first way is by secrets and the second way is by variables. TLDR variables are unencrypted, secrets are encrypted. So if you go to Secrets, you will never see the value that you put in whereas normal variables you will actually see the value. They're nice because at least you can see them.

[00:05:23]
They're a little bit easier to manage. So I don't try and put everything in secrets. You can if you want, but if it doesn't actually have to be a secret I don't recommend it. Just make it a variable. And so you'll see here that the other two variables I want you to add are your account ID and your default region.

[00:05:39]
In this case we are using Remember US West 2, so be sure to do that. So you'll click New Repository variable right here New Repository variable and then you'll give it AWS Account ID or AWS Default region. Paste those in, add those variables and then you should see two new entries with your account ID and your default region.

[00:06:03]
And if you want to get your account ID again you can do that by the top right hand corner in the console click on your little name and then you should see Account ID right there.