Stop Entering Your GitHub Credentials In Azure Cloud Shell!

Timeout!

Stop the presses!

Hold the phone ... because I have an important announcement!!

Stop entering your GitHub credentials into Azure Cloud Shell this instant!

Seriously, stop entering any git credentials into Cloud Shell!

Cuz I wanna tell you a secret ... you don't have to!

And I'll show you how!

What Is Azure Cloud Shell

Ok, let's step back for a moment here, and first answer the question: what is Azure Cloud Shell, and why does it want your GitHub credentials?

Azure Cloud Shell allows you to manage your Azure resources through a browser-based Bash or PowerShell terminal.

Go ahead - load it up!

So you're probably saying - that's cool, so I can use the Azure Command Line Interface to create, delete, and manage my Azure resources. But that doesn't explain why it wants my GitHub credentials!

You're right - that doesn't answer the question at all.

But the Cloud Shell comes with some insane features and tools built right in that kind of make it like a full-fledged development environment.

I mean.. you can save files in Cloud Shell by using Azure Storage.

There are also some code editors built right in. Like vim, emacs, or a scaled-down version of Code ... called code. It has build tools like make and npm. It has container tools like Docker Machine.

It's full-fledged legit.

So it's not out of the question to want to download some code that you have stored away on GitHub (or any other cloud accessible git) down to Cloud Shell.

Getting to the Problem With Git

Now that you know of all the goodness Cloud Shell provides, you probably thought of a reason to use some of your code to it.

But... the problem with Git, is that you need to authenticate before you can do anything. (Well, on public repos you can clone w/o authentication - so if that's all you're after - you're done.)

That's all fine and good, but you'll find yourself entering your username and password Every. Single. Time. you want to do anything requiring authentication.

And who wants to do all that typing?

(Plus to top it off, your regular password won't work ... it needs to be a special password!)

So what's a developer who uses Cloud Shell to do?

Well, there are 2 ways you can go with this.

You can either setup Cloud Shell to use Personal Access Token authentication.

Or you can use SSH authentication.

We Don't Need No Security!!

Now before we get too excited ... neither of the methods below are 100% secure (except for the very last one).

I mean they're secure as far as the authentication to your Git provider goes.

But, in order for your credentials to always be available, so you don't have to type them in every time, we'll need to store them on the file system.

You see, Cloud Shell needs an Azure Storage File account to store any files that are persisted across sessions.

So if you create your own Azure Storage account that nobody else has access to - you're golden!

But if somebody else would have access to your Storage Account ... then they could mount it in their Cloud Shell and grab your Git tokens. Boo.

Oh well ... security be damned! Who wants to type?!? Onwards!

HTTPS / Personal Access Token Authentication

Personal Access Tokens are perfect for Cloud Shell. You can use them to specify exactly what they have access to in your GitHub account. Don't want a token to be able to delete a repo? Don't give it that permission!

Ok, the first thing you need to do is create a Personal Access Token up in GitHub.

When it asks for the scopes - you'll only need repo access.

But copy that, cuz you'll need it in just a bit.

Next you'll want to issue these 2 commands in the Cloud Shell:

  1. git config --global --unset credential.helper
  2. git config --global credential.helper store

With those 2 commands, we're telling Git to use a credential helper. Or, telling it where to go to find login credentials anytime it needs them so it doesn't bother us to type them in.

The first command clears out any existing credential helpers.

And the second command sets the credential helper to be store - or put the credentials in a plain text file.

Then the next time you do an operation with Git that requires you to login, it will prompt you for your username and password.

Enter your username as usual. But enter that Personal Access Token for the password.

Git will update .gitcredentials for you.

It's stored in plain text - but oh well, if you're the only one who has access to the Storage Account that Cloud Shell uses, you're good to go!

SSH Authentication

Next up is SSH Authentication. It's an alternative means of authenticating.

(HTTPS/Personal Access Tokens is the recommended means of authenticating, but if you don't want that token just sitting somewhere where it's easily found - setup SSH!)

To setup SSH Authentication with GitHub - follow the directions here (using the Linux tab.

Essentially the steps are as follows:

  1. Type ls -al ~/.ssh into the terminal and make sure id_rsa.pub exists. It should
  2. Start the agent by typing eval "$(ssh-agent -s)" ... but it's probably already running.
  3. Run this ssh-add ~/.ssh/id_rsa but again, that's probably already setup and done.
  4. Finally add the public portion (or the contents of the id_rsa.pub file) of the SSH key to your GitHub account. Follow these directions to do so.

All cool! But there's a downside. :(

Whenever you want to clone a repo, you'll need to use this syntax:

git clone git@github.com:<YOUR USERNAME>/<YOUR REPO NAME> ... assuming the thing you're trying to clone is in your account.

For me it would be something like:

`git clone git@github.com:codemilllmatt/mycoolrepo'

Not horrible, just something different.

How About Some Inconvenient Security Though?!?

But ... what if you are willing to trade a bit of inconvenience for security? Meaning that you're willing to enter your password every 60 minutes instead of having it laying around in plain text?

Then when using the HTTPS/Personal Access Token method, enter this instead of the second command:

git config --global credential.helper "cache --timeout=3600"

Your credentials will be in memory - but only for a limited amount of time. On the downside - you'll either have to permanently store your PAT locally, or regenerate it everytime.

We Did It!

There you have it. A little configuration and now you can stop entering your password every, single. time. you want to do something with Git.

I 💖 the command line!!