Rotation of GitHub Deploy Keys

mfmcdonagh · September 3, 2019, 11:08am

When a Github repo is added to CircleCI its my understanding that CircleCI adds a deploy key to GitHub. This key gives read only access to the repo.

If a user decides to run a job via “Rerun job with SSH”, they can access that key as its accessible to them in the .ssh folder.

I’m concerned that when a user leaves the org that they can take with them a copy of the deploy key and retain read access to the repo.

Is there any mechanism to rotate the deploy keys when someone leaves my org ?

lynncyrin · December 10, 2019, 12:17am

I’m also interested in rotating deploy keys! It looks like you can setup a script to rotate them via these APIs? https://circleci.com/docs/api/#keys

Topic		Replies	Views
Rotating all of the Organizations Deploy keys Tips, Tricks, and Hacks api	1	1361	October 31, 2022
Add deploy key to checkout from second github repository Build Environment ssh , github , security	2	2181	June 18, 2018
Read/write deployment key not working Feedback & Bug Reports	0	1603	July 3, 2018
Unable to create a "write" key for our GitHub Repo Integrations and Accounts	7	7027	July 15, 2019
When to use a "Deploy Key" vs. a "User Key"? Integrations and Accounts ssh , github	4	2280	February 3, 2023