Is it possible to run a GitHub Action with a 2FA? - amazon-web-services

I have the following scenario. Currently a Wordpress site was hosted on an EC2
server. There is no deployment strategy in place. It was using the AWS CLI to
deploy the data from local to the server.
Problem For various reasons, I don't want to take it over that way of deployment and am
currently considering putting the deployment process into a GitHub Action. Which
in itself wouldn't be a problem if it weren't for the 2FA check.
Using the AWS CLI, I am forced to enter the code displayed in my MS Authenticator
app into the CLI to proceed.
Question: Is it possible to deploy via GitHub Action and 2FA? I guess almost no?
But what do I know?

No, you can't have GitHub Actions prompt and enter the 2FA tokens on your behalf. But what you can do, is setup OpenID Connect between GitHub actions and AWS.
That way you can authorize GitHub Actions to make changes to specific resources in AWS and OIDC handles the magic key exchange parts to make sure it can safely do its thing.
More info here:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

You can use the wait-for-secrets GitHub Action to use 2FA from a GitHub Actions workflow. Wait-for-secrets GitHub Action waits for the developer to enter secrets during a workflow run. Developers can enter secrets using a web browser and use them in the workflow.

Related

Unable to connect from Google Cloud to Bitbucket repository using app password

I'm using GCP build triggers connected to Bitbucket repositories. The connection is made using user credentials. Bitbucket has announced they're ending support for account password usage:
Beginning March 1, 2022, Bitbucket users will no longer be able to use
their Atlassian account password when using Basic authentication with
the Bitbucket API or Git over HTTPS. For security reasons, we require
all users to use Bitbucket app passwords.
Problem is, when trying to connect to a repository in GCP, the only option to supply Bitbucket credentials is via a web login (which to the point of app passwords, you cannot login via the bitbucket.org with an app password).
GCP Bitbucket login prompt via bitbucket.org
Expected behavior: GCP provides an option to submit app password credentials when connecting to a Bitbucket repository.
I followed directions for GCP Cloud Build integration with Bitbucket Cloud and successfully built out a functioning trigger for my repository here. I only built the trigger in GCP and used the generated webhook URL when creating the webhook in Bitbucket: I didn't create SSH keys, nor is my cloudbuild.yaml entirely valid - so the builds are failing.
Access to the Bitbucket repository was provided through GCP GUI in Cloud Build.
I have been informed of this change as well. I am trying to understand the scope of the change and its impact. It states that you cannot log in Atlassian account and password. However, besides using app passwords, you can also log in using OAuth2. https://developer.atlassian.com/cloud/bitbucket/oauth-2/
In the case of GCP Build Triggers, when I first set up the Bitbucket repository to connect to, I need to go through the "Authorization Code Grant" flow and acknowledge what access I am granting to Google Cloud Source Repository. If you check the Bitbucket API endpoints being called, they are URLs that are being used for "Authorization Code Grant" flow.
Based on these findings, am I right to say that there is no necessity to change existing triggers or mirrored repositories on GCP since they are using OAuth2 in the first place instead of Atlassian accounts and passwords?
If you can setup the build trigger to be done by a webhook you can configure the build with ssh key. But if you have to configure it as a manual trigger then using the bitbucket login credentials is the only option. Personally, I don't like this config with user login though.
The only good thing is even now(after bitbucket stopped supporting the login credentials for code checkout) the code checkout in GCP is working fine.

Browser authentication for AWS SDK for JavaScript using IAM credentials

I have a simple shell script which issues several commands using awscli and displays information to the screen. It depends on having correct settings in ~/.aws/config and ~/.aws/credentials. I want to distribute it to about 10 users who have IAM accounts with limited privileges. However I don't want to use the shell - I want something cross-platform, easy to use for the users and easy for me to update. So I decided that I want to create a simple web application in JS instead, using the AWS SDK.
It seems that this use case is specifically supported by AWS, the first bullet point under "Common Use Cases" in What Is the AWS SDK for JavaScript? is "Build a custom console to AWS services in which you access and combine features across Regions and services to best meet your organizational or project needs" which exactly describes what I want to do.
The problem is that I can't find the relevant documentation on how to perform the user authentication. All the examples that I was able to find talk about some "Amazon Cognito" service and discuss much more complicated use cases, such as authenticating pools of external users through an external authentication provider and mapping them to IAM roles, which sounds too complicated for what I want to do. Is there a way to just authenticate the users that I have with their IAM user/password, and authorize them to access the AWS services based on their existing IAM permissions? Or is using Cognito, creating additional roles, etc. mandatory?
While writing this question I found out another question about AWS Amplify and now I'm even more confused. Is AWS Amplify what I would want to use?
You can write a web app using the AWS SDK for JavaScript that invokes various AWS Services. You do NOT need to use AWS Amplify to create a web app.
A Web application that uses the AWS SDK for JavaScript uses creds like any other AWS app. Here is an AWS tutorial that shows how to use the AWS SDK for JavaScript to write a basic web app that invokes the AWS SQS service. It will hopefully point you in the right direction.
Creating an example messaging application
This topic covers Prerequisites and other information, such as creating the required AWS resources, you need to know to write a web app using the AWS SDK for JavaScript.
Also - the link you referenced was the JavaScript V2 DEV Guide. Its better to use the AWS JavaScript V3 DEV Guide.

Authentication for a custom AWS console

We’d like to build a custom AWS console for our company, geared to our company and needs - we already have the correct rules and permissions assigned to everyone, this is only a question of authentication. I’m not able to find a Login with AWS option - what’s the best way to use the existing login system and use those credentials With the JS SDK to make our own web console?
OAuth is the most common way to do this, but I can’t find it for AWS - GitHub, for instance has this https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/ which lets us build a custom Github dashboard.

How to reconnect CodeDeploy to GitHub

I went through my first attempt at using CodeDeploy on AWS and did authorize CodeDeploy to access my GitHub account, but later decided that I did not want to give this admin level access since I am administrator for multiple organizations and this just felt very wrong to me.
So I revoked the OAuth token at GitHub.
Now I realize that I don't have any other good options and pretty much have to use CodeDeploy but the GitHub integration is now broken.
I tried deleting all of my CodeDeploy applications and starting over, but now whenever I click on the "Connect to GitHub" buttons in CodeDeploy it displays an error message "Token name is missing".
Is there any way to re-establish the OAuth token?
You can try and follow the steps described in that thread:
The codedeploy-agent uses the OAuth token, generated by the (Re)Connect with GitHub step, to enable it to download the deployment bundle from your GitHub repo. GitHub responds with a 404 Not Found if the token is missing, has no access, or the repo does not exist. The OAuth token is set up separately for each CodeDeploy application. The OAuth token may not have been set up for the CodeDeploy application, it may have been revoked, or the repo may have been deleted in GitHub.
Please ensure the repo exists in GitHub, and please try to '(Re)Connect with GitHub' to establish a new OAuth token for the CodeDeploy application:
GitHub Behaviors with AWS CodeDeploy
Create a Deployment with AWS CodeDeploy
Also, see the blog for automating AWS CodeDeploy deployment from GitHub for more information.
Note: that last blog mentions:
This post has been updated on October 1, 2018 to reflect the deprecation of GitHub services. You can learn more about this deprecation here.
We now recommend setting up automatic deployments from GitHub using AWS CodePipeline and AWS CodeDeploy.

AWS Code Deploy failure after converting to an Organization

I recently converted a private GitHub account to an Organization and that seems to have totally screwed up my authentication with AWS Code Deploy on every one of my repositories.
I checked the Webhooks & services for AWS Code Deploy and my keys are set properly.
I also re-authenticated with GitHub when creating a new deployment.
My AIM permissions have not changed and pass the GitHub Test
But, I receive the following message every time I try to deploy...
Could not download bundle at 'https://api.github.com/repos/artofdev/django/tarball/1ec682b03d3f160d401d0aaf565a66d99f28734e' after 3 retries. Server returned codes: 404 'Not Found'; 404 'Not Found'; 404 'Not Found'; 404 'Not Found'.
[EDIT]: I setup a test repo and code deploy application on a personal github account and was able to deploy successfully. Does AWS Code Deploy work with Organization repos?
There is one more step authorization you need to do if you want to deploy from a private repo controlled by organization.
CodeDeploy just updated with a doc section here: http://docs.aws.amazon.com/codedeploy/latest/userguide/github-integ.html#github-integ-behaviors-org-repositories
Have you retried authenticating CodeDeploy with your new GitHub organization? It is likely that by changing your configuration on GitHub's side your previous authentications were invalidated.
To re-authenticate, you need to create a new deployment from the web console.
You won't need to fully finish creating the deployment, but before you get to the final step, you should see a "Reconnect to GitHub" link.
See GitHub Authentication with Applications in AWS CodeDeploy
I faced an exactly same issue. Resolution worked for me was:
Delete the application
Create new application and deployment
Re-authenticate with GitHub
Authorize codedeploy to access GitHub
Deploy
Here without deleting an application, it was not providing a way to re-authorize codedeploy to GitHub and that's the root cause of this issue.
for working your CI integration correctly, Go to -- You profile -->setting --> Application --> Authorize OAuth app should list codedeploy.