Skip to content

[FEAT]: Support external KMS signing for GitHub App JWT authentication #3317

@u-kai

Description

@u-kai

Describe the need

Description

Support delegating GitHub App JWT signing to external KMS providers (AWS KMS, GCP Cloud KMS, Azure Key Vault), so the private key never leaves the KMS boundary.

Motivation

Supply chain attacks targeting CI/CD pipelines are an increasing concern.
A GitHub App with permissions to manage repositories and environments can access all environments and their secrets across an entire Organization.

If the App's private key leaks from a CI/CD environment, the blast radius is enormous.

External KMS services ensure the private key never leaves the KMS — signing is performed via API calls, and all usage is auditable through cloud provider logging.

Proposed solution

Add a kms_key_id option that delegates JWT signing to an external KMS instead of requiring a raw PEM key:

provider "github" {
  app_auth {
    id              = "12345"
    installation_id = "67890"
    kms_key_id      = "arn:aws:kms:ap-northeast-1:111122223333:key/xxxx"
  }
}

The provider would detect the KMS backend from the key identifier format and use the cloud SDK's default credential chain for authentication.

Considerations

  • pem_file and kms_key_id are mutually exclusive
  • Users must import the GitHub App's RSA key into their KMS with signing permissions
  • Implementation can be phased: start with one cloud provider, add others incrementally

SDK Version

No response

API Version

No response

Relevant log output

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs DiscussionThis issue/PR needs maintainers to discuss and decide on a course of action.Status: TriageThis is being looked at and prioritizedType: FeatureNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions