Skip to content
DOCS
User Guide API Guide

Deploy Aembit Edge with GitHub Actions

Aembit provides many different deployment options you can use to deploy Aembit edge components in your environment. Each of these options provides similar features and functionality; however, the steps for each of these options are specific to the deployment option you select.

This page describes the process to use the Aembit Edge Agent in GitHub Actions.

Configure a serverless Access Policy

Section titled “Configure a serverless Access Policy”

To configure your Aembit Tenant to support GitHub Actions as a Client Workload:

  1. Configure your Client Workload to identify the Aembit Agent runtime environment with one or more of the following Client Identification options.

  2. Configure your Trust Provider type to GitHub Action ID Token to identify and attest the Aembit Agent runtime environment.

  3. Configure your Credential Provider to specify the credential values which you want to be available in the Serverless runtime environment.

  4. Configure your Server Workload to specify the service endpoint host and port which you want to use in the Serverless runtime environment.

  5. Configure your Access Policy referencing the Aembit entities from steps 3 - 6, and then click Save & Activate.

Configure for use with a Custom Resource Set

Section titled “Configure for use with a Custom Resource Set”

To configure GitHub Actions to work with a Custom Resource Set:

  1. Open your existing GitHub Actions configuration file.

  2. Go to your Aembit Tenant, click the Trust Providers link in the left sidebar and locate your GitLab Trust Provider in the Custom Resource Set you are working with.

  3. In your GitHub Actions configuration file, go to the env section for the action step and add both the AEMBIT_CLIENT_ID and AEMBIT_RESOURCE_SET_ID values. In the following example, notice that the AEMBIT_CLIENT_ID and AEMBIT_RESOURCE_SET_ID values in the steps section:

    Example GitHub Actions job
    jobs:
      sample:
        steps:
          - name: Sample
            env:
              AEMBIT_CLIENT_ID: aembit:stack:tenant:identity:github_idtoken:uuid
              AEMBIT_RESOURCE_SET_ID: 585677c8-9g2a-7zx8-604b-e02e64af11e4

  4. Verify both the AEMBIT_CLIENT_ID and AEMBIT_RESOURCE_SET_ID environment variables match the values in your Resource Set and Trust Provider in your Aembit Tenant.

  5. Commit your changes to your GitHub Actions configuration file.

Deploy the Serverless Script

Section titled “Deploy the Serverless Script”

  1. Retrieve the latest available Aembit Agent release. The latest release can be found on the Agent Releases page.

  2. Include the Aembit Agent within your Serverless environment. This can be accomplished by bundling it within an image, or retrieving it dynamically as appropriate for your workload.

  3. Configure your Serverless script to call the Aembit Agent with the proper parameters. The following example shows configurations for GitHub Actions.

    Example GitHub Actions job
        # The id-token permissions value must be set to write for retrieval of the GitHub OIDC Identity Token
        permissions:
          id-token: write
        ...
        jobs:
          sample:
            steps:
              - name: Sample
                env:
                 # Copy the Client ID value from your Trust Provider to this value
                  AEMBIT_CLIENT_ID: aembit:stack:tenant:identity:github_idtoken:uuid
                run: |
                  $(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --server_workload_host oauth.sample.com --server_workload_port 443)
                  echo OAuth Token $TOKEN

Verify Aembit Agent

Section titled “Verify Aembit Agent”

To verify the Aembit Agent release, follow these steps using the gpg and shasum commands. Select the tab that matches your operating system and architecture:

  1. Download the Aembit Agent release version from the Aembit Agent Releases page along with the matching checksum files.

    Alternatively, you can download these files using curl, swapping out the highlighted release version with the version you're verifying:

    Terminal window
    curl -O https://releases.aembit.io/agent/1.17.0/linux/amd64/aembit_1.17.0_linux_amd64.zip
    curl -O https://releases.aembit.io/agent/1.17.0/aembit_1.17.0_SHA256SUMS
    curl -O https://releases.aembit.io/agent/1.17.0/aembit_1.17.0_SHA256SUMS.sig

  2. Import Aembit's public GPG key from Keybase into gpg:

    Terminal window
    curl "https://keybase.io/aembit/pgp_keys.asc" | gpg --import

  3. Verify Aembit Agent's checksum integrity and authenticity with gpg:

    Terminal window
    gpg --verify aembit_1.17.0_SHA256SUMS.sig aembit_1.17.0_SHA256SUMS

    If you don't have gpg installed, see Verifying Aembit binary release signatures prerequisites.

    Your output should look similar to the following and include the highlighted line:

    Terminal window
    gpg --verify aembit_1.17.0_SHA256SUMS.sig aembit_1.17.0_SHA256SUMS
    gpg: Signature made Wed Sep 18 10:13:57 2024 PDT
    gpg:                using RSA key EA3D8D2FDAC6BD8137163D00D655E64729BC67D7
    gpg: Good signature from "Aembit, Inc. <keybase@aembit.io>" [unknown]
    ...

    As long as you see Good signature..., you know that the checksum files are valid and authentic.

  4. Verify the integrity of the Aembit Agent file you downloaded using shasum:

    Terminal window
    grep $(shasum -a 256 aembit_1.17.0_linux_amd64.zip) aembit_1.17.0_SHA256SUMS

    If shasum returns a match, you know the file is intact and matches Aembit's original. The long hex string is the SHA256 hash that both your file and the checksums file agree on. No output would mean the checksums don't match.