[BUG]: Error authenticating API requests from Octokit JS client when using private key in Azure key vault about octokit.js HOT 4 OPEN

We wouldn't want to add a feature for only one platform. If it uses a standardized process that is supported on many platforms then it would be fine

from octokit.js.

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

from octokit.js.

PS, this seems related to:

octokit/auth-app.js#465

from octokit.js.

So, after digging into this, it looks like this might a documentation opportunity rather than a bug, as it's more to do with a limitation of the Azure Key Vault and the guideines in the GitHub documentation.

Going back to the drawing board and trying to store the private key as a secret - not a key - in AKV seems to work. But there's a catch: the RSA private key you download for the GitHub app needs to be encoded as a base64 string before it's added as an AKV secret.

Here's the TL;DR of what you need to do to get it to work:

1. Download the .pem file from the GitHub app settings.

2. Go to your terminal, and navigate to the directory where the .pem file is located.

3. Run the following command to convert the .pem file to a base64 string: cat <your-private-key>.pem | base64

4. Copy the base64 encoded string from the terminal output and store it as a secret in the Azure Key Vault. Assign it a descriptive name in AKV, and provide that name in the function app (below I store it as an env variable.)

5. Retrieve the secret from the Azure Key Vault in the Azure Function app and decode it from base64 to an ascii string with the following code:

const vaultName = process.env.KEY_VAULT_NAME;
const keyName = process.env.KEY_NAME;
const appId = process.env.APP_ID;

const vaultURL = `https://${vaultName}.vault.azure.net`;
const credential = new DefaultAzureCredential();
const client = new SecretClient(vaultURL, credential);
const secretBundle = await client.getSecret(keyName);
const privateKeyString = Buffer.from(secretBundle.value, 'base64').toString('ascii');

const octokit = new Octokit({
       authStrategy: createAppAuth,
       auth: { appId, privateKey: privateKeyString, installationId },
});

BUT, that being said, it would be interesting to find out if there's any opportunity to add a new feature to Octokit that would allow users to pass the key object from AKV to the new Octokit instance in the app to authenticate it?

It would be good to get the 2cents of the Octokit team on this. Specifically to find what the appetite for this would be with respect to i) whether or not enough users have a desire for this feature, and ii) whether the API/Octokit product and engineering teams see this as something that's worth the time/effort.

from octokit.js.