0

I am using user-data to register my EC2 as a self-hosted GH Action runner as follows

su - ubuntu -c './config.sh --unattended --url '${github_repo_url}' \
    --pat '${github_pat}' --name '${name}'  --labels '${labels}' --replace'

(no output, just the command-line)

I am using a GitHub (GH) Personal Access Token (PAT) since otherwise I would have to go to the GH webinterface (UI) and request a registration token each time I want to register a new AWS EC2 virtual machine instance as self-hosted GH runner.

The problem is that user-data is of course visible once the machine is ready.

Is there a better way to go about it?

AFAIK EC2 do not accept resource-based policies so as to restrict access to only a selected group of members.

hakre
  • 193,403
  • 52
  • 435
  • 836
pkaramol
  • 16,451
  • 43
  • 149
  • 324
  • This Q&A covers a similar if not the same scenario: [How I can get a github actions runner token](https://stackoverflow.com/q/59563916/367456). Furthermore, it looks to me like an implementation detail of `config.sh` - Have you reported your issue to the project? And there is [API to generate runners token? #26751](https://github.com/orgs/community/discussions/26751) and [Create a registration token for an organization - REST API](https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization) – hakre Apr 23 '23 at 05:53

1 Answers1

0

AWS Parameter store with encrypted strings is a general solution for making secrets like that available to AWS resources. Your EC2 instance can then apply the appropriate permissions to access the parameter in question (your GH PAT int his case) via the instance profile.

In your ec2 user-data you can then use the aws cli to pull the parameter. This question has an example on how to pull that off.

Chris White
  • 1,409
  • 8
  • 10
  • Thanks . I suppose Secrets Manager can be used as well, right? – pkaramol Apr 23 '23 at 08:52
  • Secrets manager is slightly more of a step up with features such as password rotation. Given that AWS can't go directly in and rotate the PAT from GitHub parameter store with encrypted string values is sufficient enough. See here ( https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html ) for more info if you're curious. – Chris White Apr 23 '23 at 13:16