Private Model Artifact Repositories Access through Deploy Keys
PythonTo manage access to private model artifact repositories, you typically use deploy keys. A deploy key is an SSH key that is stored on your server and grants access to a single repository of code. In infrastructure as code, deploying and managing these keys can be done programmatically using Pulumi and a compatible provider such as GitHub or GitLab.
Here's a detailed explanation of how you can achieve this in Pulumi with Python:
github.RepositoryDeployKey: This resource is used to manage deploy keys for GitHub repositories, granting read-only or read-write access to the repository.gitlab.DeployKey: Similarly, for GitLab repositories, we use this resource to add SSH keys as deploy keys to the specified project, with optional write access.
In both cases, the deploy key is an SSH public key that you generate and associate with the repository. When a deployment occurs, services that have access to the private key can authenticate with the respective cloud service to access the repository.
Below is a Pulumi Python program that demonstrates how you might configure deploy keys for both GitHub and GitLab. This code will create new deploy keys for specific repositories when applied.
import pulumi import pulumi_github as github import pulumi_gitlab as gitlab # Replace these variables with your own data github_repo_name = 'my-github-repo' gitlab_project_id = 'my-gitlab-project-id' ssh_key_public = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...' # Replace with your public deploy key # Create a deploy key for a GitHub repository github_deploy_key = github.RepositoryDeployKey("github-deploy-key", title="my-deploy-key", # A name to identify the deploy key key=ssh_key_public, # The public part of the deploy key read_only=True, # Set to False to allow write access repository=github_repo_name, ) # Create a deploy key for a GitLab project gitlab_deploy_key = gitlab.DeployKey("gitlab-deploy-key", title="my-deploy-key", # A name to identify the deploy key key=ssh_key_public, # The public part of the deploy key can_push=False, # Set to True to allow write access project=gitlab_project_id, ) # Export the deploy key IDs for both GitHub and GitLab pulumi.export("github_deploy_key_id", github_deploy_key.id) pulumi.export("gitlab_deploy_key_id", gitlab_deploy_key.id)In both resources, the
titleis the name you want to give the deploy key, andkeyis where you place your SSH public key. For GitHub, theread_onlyattribute defines whether the deploy key has the permissions to write to the repository. In GitLab, this is controlled by thecan_pushattribute. Make sure to setread_onlyorcan_pushtoFalseif you need write access for deployments.Finally, the
exportstatements at the bottom of the program make the IDs of the created deploy keys available in the Pulumi stack's outputs. These can be used to reference the deploy keys outside of Pulumi if necessary.Replace
my-github-repoandmy-gitlab-project-idwith the actual identifiers for your repository and GitLab project, respectively. Also, replace the dummy SSH key provided inssh_key_publicwith your actual SSH public key.To generate an SSH key pair to use as a deploy key, you can run:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"When prompted, you can specify the file to save the key and whether to use a passphrase for additional security. The public key file (commonly ending with
.pub) is what you would put into thessh_key_publicvariable. Keep the private key secure and don't share it.Remember to install the
pulumi_githubandpulumi_gitlabPython packages if you haven't already:pip install pulumi_github pulumi_gitlabThis code presumes that your Pulumi configuration is already set up for GitHub and GitLab, meaning you've configured the respective access tokens needed to authenticate with these providers.