github-codebuild-logs icon indicating copy to clipboard operation
github-codebuild-logs copied to clipboard
verified publisher icon jlhood

Github authentication fails if OAuth token is updated in Secrets Manager [console]

Open mattsb42 opened this issue 6 years ago • 6 comments

Leading to #13, I was troubleshooting the permissions on my access tokens, and since you cannot modify the permissions on an existing token, I had to create a new token for each permissions attempt.

If the token is set through the SAR console on creation, everything works fine. However, if the token is then changed in Secrets Manager, the Github call fails with Invalid Credentials. I skimmed the github proxy, and it looks like everything is being done correctly (secret value pulled fresh each time), so I'm not entirely sure why this is failing

I did update the value through the Secrets Manager console, which makes me wonder if some whitespace might be sneaking its way in to the value. I'll do some testing with this to see if I can narrow this down.

mattsb42 avatar Oct 19 '19 12:10 mattsb42

@mattsb42 The GitHub OAuth token is cached in memory by the app. Did you delete the old token after replacing it with a new one in secrets manager? If so, the app was probably trying to use the deleted token, resulting in the invalid token error from GitHub.

An enhancement that could be made to the app would be for GithubProxy to catch invalid token error and attempt to reinitialize the client (which would also reload the token).

jlhood avatar Oct 21 '19 18:10 jlhood

Yes, I deleted the old token. I missed the client caching; yes, this is probably what was happening. Catching the invalid credentials error and re-loading credentials sounds like the right approach to me. We'll want to make sure we only try reloading once though.

mattsb42 avatar Oct 21 '19 20:10 mattsb42

Why only try reloading once? What's the concern with always trying to reload it on invalid token error?

jlhood avatar Oct 21 '19 20:10 jlhood

Just trying to avoid an infinite loop of it failing and reloading.

mattsb42 avatar Oct 21 '19 20:10 mattsb42

Not sure if it is the same issue for you. But I found it confusing when using secrets manager console. The console defaults the secrets to be either a key-value pair or a JSON String under Plaintext. I have to just copy paste my OAuth token there in Plaintext and remove the default JSON blob. Most of the time I just use AWS CLI to store my OAuth token:

aws secretsmanager create-secret --name GitHubOAuthToken --secret-string <my oauth token>

honglu avatar Oct 21 '19 21:10 honglu

@mattsb42 Just trying to avoid an infinite loop of it failing and reloading.

Oh I see. You mean only retry once per Lambda invocation. I was thinking the same thing. For a second I thought you meant ensuring it only retries once across Lambda invocations. 😅

jlhood avatar Oct 21 '19 23:10 jlhood