Skip to content

Configure Personal Access Token#

Let's add a few secrets that we will need to get our pipelines running. You can check secrets documentation to read more on these secrets.


  • Generate a organization level PAT with the necessary permissions for pipeline integration.
  • Securely store the GitHub PAT in Vault for added protection.

Key Results#

  • Personal Access Token (PAT) with the specified permissions is generated successfully in the GitHub account.
  • The GitHub PAT is securely stored in Vault and can be accessed only by authorized entities, enhancing security.


  • Infra GitOps Repository is configured.
  • Delivery Engineer added as the owner of root-tenant.
  • Delivery Engineer added as a member of customer admin group. The customer admin group provides permission to deploy ArgoCD application in ArgoCD namespace.
  • A GitHub user with access over all the repositories on GitHub. You can name this user saap-bot.


Creating Personal Access Token#

  1. Generate a Fine-grained Token (PAT) on GitHub.

  2. Go to your GitHub account settings for the top-right corner on your profile.

  3. Navigate to Developer settings

  4. Go to Personal access tokens.

  5. From drop-down select Fine-grained Tokens.

  6. Click Generate new token.

  7. Provide a name for the token.

  8. Select the Resource owner(your organization).

  9. Set Repository Access to All Repositories.

  10. Select the following scopes/permissions:

    * Administration (Read only)
    * Commit status (Read only)
    * Contents (Read only)
    * Metadata (Read only)
    * Pull requests (Read and write)
    * Webhook (Read and write)


Save the token cautiously, you'll need to save it in Vault.

Adding Token to Vault#

Now that we have created the GitHub Token, we will store it in Vault.


The delivery engineer should be part of the root-tenant. The root tenant makes sure that the delivery engineer is able to login to Vault with OIDC and is able to view the ArgoCD application created for bootstrapping Infra repository. Please contact SAAP team if you are unable to access Vault using OIDC method

Login to Vault to view path.

  1. Access Vault from Forecastle console, search Vault and open the Vault tile.

  2. From the drop-down menu under Method, select OIDC and click on Sign in with OIDC Provider.

  3. You will be brought to the Vault console. You should see common-shared-secrets folder.

  4. Click on common-shared-secrets.

  5. You will now be brought to the secrets and the configurations. Click on create secret.

  6. Let's create a git-pat-creds secret for our webhook secret. Write the name of the secret in path which is git-pat-creds. Add secret data

    • key: username, value: (GitHub username).
    • key: password, value (Newly created PAT). Hit save.

Adding External Secret#

Since we want the git-pat-creds secret to be deployed in all of the tenant namespaces, we will use a multi-tenant-operator template to deploy it.

  1. Open up the infra-gitops-config repository that we have already bootstrapped.

  2. Open the tenant-operator-config folder and create a templates folder inside it.

  1. Now create a file named git-pat-creds-template.yaml and add the following content.
 kind: Template
   name: git-pat-creds
     - apiVersion:
       kind: ExternalSecret
         name: git-pat-creds
           - extract:
               conversionStrategy: Default
               key: git-pat-creds
         refreshInterval: 1m0s
           kind: SecretStore
           name: tenant-vault-shared-secret-store
           name: git-pat-creds
  1. Create another file named git-pat-creds-tgi.yaml and add the below content.
kind: TemplateGroupInstance
  name: git-pat-creds
  template: git-pat-creds
      - key:
        operator: In
        values: [ build, pr ]
  sync: true
  1. Lets see our Template and TGI in ArgoCD. Open up ArgoCD and look for tenant-operator-config application. You should be able to see your Template and TGI deployed.