Aembit provides several different deployment options you can use to deploy Aembit edge components in your environment. Each of these options provides similar features and functionality; however, the steps for each of these options are specific to the deployment option you select.
This page describes the process to utilize the Aembit Edge Agent in GitHub Actions.
Configure a Serverless Access Policy
Section titled “Configure a Serverless Access Policy”To configure your Aembit tenant to support GitHub Actions as a Client Workload:
- Configure your Client Workload to identify the Aembit Agent runtime environment with one or more of the following Client Identification options.
-
Configure your Trust Provider type to GitHub Action ID Token to identify and attest the Aembit Agent runtime environment.
-
Configure your Credential Provider to specify the credential values which you want to be available in the Serverless runtime environment.
-
Configure your Server Workload to specify the service endpoint host and port which you want to utilize in the Serverless runtime environment.
-
Configure your Access Policy referencing the Aembit entities from steps 3 - 6, and then click Save & Activate.
Configure for use with a Custom Resource Set
Section titled “Configure for use with a Custom Resource Set”To configure GitHub Actions to work with a Custom Resource Set:
-
Open your existing GitHub Actions configuration file.
-
Go to your Aembit tenant, click on the Trust Providers link in the left navigation pane and locate your GitLab Trust Provider in the Custom Resource Set you are working with.
-
In your GitHub Actions configuration file, go to the
envsection for the action step and add both theAEMBIT_CLIENT_IDandAEMBIT_RESOURCE_SET_IDvalues. In the example below, notice that theAEMBIT_CLIENT_IDandAEMBIT_RESOURCE_SET_IDvalues have been added in thestepssection.
jobs: sample: steps: - name: Sample env: AEMBIT_CLIENT_ID: aembit:stack:tenant:identity:github_idtoken:uuid AEMBIT_RESOURCE_SET_ID: 585677c8-9g2a-7zx8-604b-e02e64af11e4-
Verify both the
AEMBIT_CLIENT_IDandAEMBIT_RESOURCE_SET_IDenvironment variables match the values in your Resource Set and Trust Provider in your Aembit tenant. -
Commit your changes to your GitHub Actions configuration file.
Deploy the Serverless Script
Section titled “Deploy the Serverless Script”-
Retrieve the latest available Aembit Agent release. The latest release can be found on the Agent Releases page.
-
Include the Aembit Agent within your Serverless environment. This can be accomplished by bundling it within an image, or retrieving it dynamically as appropriate for your workload.
-
Configure your Serverless script to call the Aembit Agent with the proper parameters. The example below shows configurations for GitHub Actions.
# The id-token permissions value must be set to write for retrieval of the GitHub OIDC Identity Tokenpermissions:id-token: write...jobs:sample:steps:- name: Sampleenv:# Copy the Client ID value from your Trust Provider to this valueAEMBIT_CLIENT_ID: aembit:stack:tenant:identity:github_idtoken:uuidrun: |$(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --server_workload_host oauth.sample.com --server_workload_port 443)echo OAuth Token $TOKEN
:warning: In the configuration file, replace the value for AEMBIT CLIENT ID with the Client ID value generated on your Trust Provider, and set the Server Workload Host and Server Workload Port values to your desired values.
Verify Aembit Agent
Section titled “Verify Aembit Agent”To verify the Aembit Agent:
-
When downloading the Aembit Agent from the Agent Releases page, also download the matching
SHA256SUMSandSHA256SUMS.sigfile. -
Use the
gpgandshasumcommands (or similar) to perform a signature/hash verification against the Aembit Keybase Key. For example:Terminal window curl https://keybase.io/aembit/pgp_keys.asc | gpg --importgpg --verify aembit_1.13.0_SHA256SUMS.sig aembit_1.13.0_SHA256SUMSgrep $(shasum -a 256 aembit_1.13.0_linux_amd64.zip) aembit_1.13.0_SHA256SUMS