Private Model Artifact Repositories Access through Deploy Keys
PythonTo manage access to private model artifact repositories, you typically use deploy keys. A deploy key is an SSH key that is stored on your server and grants access to a single repository of code. In infrastructure as code, deploying and managing these keys can be done programmatically using Pulumi and a compatible provider such as GitHub or GitLab.
Here's a detailed explanation of how you can achieve this in Pulumi with Python:
github.RepositoryDeployKey
: This resource is used to manage deploy keys for GitHub repositories, granting read-only or read-write access to the repository.gitlab.DeployKey
: Similarly, for GitLab repositories, we use this resource to add SSH keys as deploy keys to the specified project, with optional write access.
In both cases, the deploy key is an SSH public key that you generate and associate with the repository. When a deployment occurs, services that have access to the private key can authenticate with the respective cloud service to access the repository.
Below is a Pulumi Python program that demonstrates how you might configure deploy keys for both GitHub and GitLab. This code will create new deploy keys for specific repositories when applied.
import pulumi import pulumi_github as github import pulumi_gitlab as gitlab # Replace these variables with your own data github_repo_name = 'my-github-repo' gitlab_project_id = 'my-gitlab-project-id' ssh_key_public = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...' # Replace with your public deploy key # Create a deploy key for a GitHub repository github_deploy_key = github.RepositoryDeployKey("github-deploy-key", title="my-deploy-key", # A name to identify the deploy key key=ssh_key_public, # The public part of the deploy key read_only=True, # Set to False to allow write access repository=github_repo_name, ) # Create a deploy key for a GitLab project gitlab_deploy_key = gitlab.DeployKey("gitlab-deploy-key", title="my-deploy-key", # A name to identify the deploy key key=ssh_key_public, # The public part of the deploy key can_push=False, # Set to True to allow write access project=gitlab_project_id, ) # Export the deploy key IDs for both GitHub and GitLab pulumi.export("github_deploy_key_id", github_deploy_key.id) pulumi.export("gitlab_deploy_key_id", gitlab_deploy_key.id)
In both resources, the
title
is the name you want to give the deploy key, andkey
is where you place your SSH public key. For GitHub, theread_only
attribute defines whether the deploy key has the permissions to write to the repository. In GitLab, this is controlled by thecan_push
attribute. Make sure to setread_only
orcan_push
toFalse
if you need write access for deployments.Finally, the
export
statements at the bottom of the program make the IDs of the created deploy keys available in the Pulumi stack's outputs. These can be used to reference the deploy keys outside of Pulumi if necessary.Replace
my-github-repo
andmy-gitlab-project-id
with the actual identifiers for your repository and GitLab project, respectively. Also, replace the dummy SSH key provided inssh_key_public
with your actual SSH public key.To generate an SSH key pair to use as a deploy key, you can run:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
When prompted, you can specify the file to save the key and whether to use a passphrase for additional security. The public key file (commonly ending with
.pub
) is what you would put into thessh_key_public
variable. Keep the private key secure and don't share it.Remember to install the
pulumi_github
andpulumi_gitlab
Python packages if you haven't already:pip install pulumi_github pulumi_gitlab
This code presumes that your Pulumi configuration is already set up for GitHub and GitLab, meaning you've configured the respective access tokens needed to authenticate with these providers.