With the Get Key Vault Secrets action, you can fetch secrets from an Azure Key Vault instance and consume in your GitHub Action workflows.
The definition of this GitHub Action is in action.yml.
Secrets fetched will be set as outputs of the keyvault action instance and can be consumed in the subsequent actions in the workflow using the notation: ${{ steps.<Id-of-the-KeyVault-Action>.outputs.<Secret-Key> }}. In addition, secrets are also set as environment variables. All the variables are automatically masked if printed to the console or to logs.
Refer to more Actions for Azure and Starter templates to easily automate your CICD workflows targeting Azure services using GitHub Action workflows.
- Authenticate using Azure Login with an Azure service principal, which also has Get, List permissions on the keyvault under consideration.
# File: .github/workflows/workflow.yml
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
# checkout the repo
- uses: actions/checkout@master
- uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- uses: bitwarden/gh-actions/get-keyvault-secrets@v1
with:
keyvault: "my
Vault"
secrets: 'mySecret' # comma separated list of secret keys that need to be fetched from the Key Vault
id: myGetSecretAction
To fetch the credentials required to authenticate with Azure, run the following command to generate an Azure Service Principal (SPN) with Contributor permissions:
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
# Replace {subscription-id}, {resource-group} with the subscription, resource group details of your keyvault
# The command should output a JSON object similar to this:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}Add the json output as a secret (let's say with the name AZURE_CREDENTIALS) in the GitHub repository.
Provide explicit access policies on the above Azure service principal to be able to access your Key Vault for get and list operations. Use below command for that:
az keyvault set-policy -n $KV_NAME --secret-permissions get list --spn <clientId from the Azure SPN JSON>
For more details, refer to KeyVault Set-Policy.
Sample workflow which leverages the Key Vault action to fetch multiple secrets from the Key Vault and use them as credentials for the docker login action.
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
# checkout the repo
- uses: actions/checkout@master
- uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }} # Define secret variable in repository settings as per action documentation
- uses: bitwarden/gh-actions/get-keyvault-secrets@v1
with:
keyvault: "myKeyVault"
secrets: "mySecret1, mySecret2"
id: myGetSecretAction
- uses: Azure/docker-login@v1
with:
login-server: mycontainer.azurecr.io
username: ${{ steps.myGetSecretAction.outputs.mySecret1 }}
password: ${{ steps.myGetSecretAction.outputs.mySecret2 }}
- run: |
cd go-sample
docker build . -t my.azurecr.io/myimage:${{ github.sha }}
docker push my.azurecr.io/myimage:${{ github.sha }}
cd ..