Ugly Green Logo

Container Registry

Download Website

GitHub Organization

Slack Workspace

February 05, 2023

GitHub fine-grained PATs for CDK Pipelines

by John Lukach

GitHub fine-grained personal access tokens (PATs) may only be available in beta, but the pros outweigh the cons for reducing the risk from the classic PATs blast radius.


CDK Pipelines requires the token must be stored in an AWS Secret Manager (ASM) secret called github-token.


Instead of having access to all repositories, the token can be scoped to a specific code base.


Initial CDK Pipeline setup only requires Metadata and Webhook permissions.


While the user interface (UI) says the token can live forever, it must be configured to expire in one year.


When adding permissions, the UI has inconsistent names for deploying additional resources, where these are my starting point. I may be able to reduce these more in the future.


Read Only
Read & Write
tags: AWS - CDK - GitHub - Pipelines - PATs