Skip to content
unlock

GitHub Action

Vault Secrets

v0.3.0 Latest version
Use latest version
unlock

Vault Secrets

A Github Action that allows you to consume the v2 K/V backend of HashiCorp Vault as secure environment variables

Installation

Copy and paste the following snippet into your .yml file.

- name: Vault Secrets
  uses: RichiCoder1/vault-action@v0.3.0
Learn more about this action in RichiCoder1/vault-action
Choose a version

vault-action

A helper action for easily pulling secrets from the default v2 K/V backend of vault.

Example Usage

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              uses: RichiCoder1/vault-action
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VaultToken }}
                secrets: |
                    ci/aws accessKey | AWS_ACCESS_KEY_ID ;
                    ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
                    ci npm_token
            # ...

Key Syntax

The secrets parameter is a set of multiple secret requests separated by the ; character.

Each secret request is comprised of the path and the key of the desired secret, and optionally the desired Env Var output name.

{{ Secret Path }} {{ Secret Key }} | {{ Output Environment Variable Name }}

Simple Key

To retrieve a key npmToken from path ci that has value somelongtoken from vault you could do:

with:
    secrets: ci npmToken

vault-action will automatically normalize the given data key, and output:

NPMTOKEN=somelongtoken

Set Environment Variable Name

However, if you want to set it to a specific environmental variable, say NPM_TOKEN, you could do this instead:

with:
    secrets: ci npmToken | NPM_TOKEN

With that, vault-action will now use your requested name and output:

NPM_TOKEN=somelongtoken

Multiple Secrets

This action can take multi-line input, so say you had your AWS keys stored in a path and wanted to retrieve both of them. You can do:

with:
    secrets: |
        ci/aws accessKey | AWS_ACCESS_KEY_ID ;
        ci/aws secretKey | AWS_SECRET_ACCESS_KEY

Namespace

This action could be use with namespace Vault Enterprise feature. You can specify namespace in request :

steps:
    # ...
    - name: Import Secrets
      uses: RichiCoder1/vault-action
      with:
        url: https://vault-enterprise.mycompany.com:8200
        token: ${{ secrets.VaultToken }}
        namespace: ns1
        secrets: |
            ci/aws accessKey | AWS_ACCESS_KEY_ID ;
            ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
            ci npm_token

Masking

This action uses Github Action's built in masking, so all variables will automatically be masked if printed to the console or to logs.

You can’t perform that action at this time.