Skip to content

Github Action to read a secret value from AWS Secret Manager

License

Notifications You must be signed in to change notification settings

t-botz/aws-secrets-manager-read-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

typescript-action status

AWS Secrets Manager Reader

Use this action to read a secret value from AWS Secret Manager.

This action assume that:

Usage

Assuming we have define in AWS Secret Manager a secret foo/bar with the following content:

{
  "MY_SECRET": "123456"
}
- uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-region: us-east-1
- name: Retrieve Secrets
  id: secrets
  uses: t-botz/aws-secrets-manager-read-action@v2
  with:
    secret-id: foo/bar
    mask-json-values: true
    keys-as-env-vars: true
    keys-as-outputs: true
    append-to-env-file: ./my.env
- name: Use Secret
  run: |
    # Will actually display '***' as secret will be masked in output
    echo "${{ fromJSON(steps.secrets.outputs.secret).MY_SECRET }}"

    # Same result thanks to `keys-as-outputs: true`
    echo "${{ steps.secrets.outputs.MY_SECRET }}"

    # Same result thanks to `keys-as-env-vars: true`
    echo "$MY_SECRET"
    
    # Show secret from env file
    cat ./my.env

Inputs

Name Type Description
secret-id String Refer to AWS Documention
version-id String Refer to AWS Documention
version-stage String Refer to AWS Documention
mask-value Boolean (Default true) Mask the whole secret value return by AWS.
mask-json-values Boolean (Default false) Assume the secret is a JSON object and mask all JSON object values, even the nested ones
keys-as-env-vars Boolean (Default false) Assume the secret is a JSON object and export the keys as env variables. Can then be accessed with ${{ env.MY_SECRET }}.
keys-as-outputs Boolean (Default false) Assume the secret is a JSON object and export the keys as env variables. Can then be accessed with ${{ steps.<id_of_steps>.outputs.MY_SECRET }}.
append-to-env-file Boolean (Default '') 'Assume the secret is a JSON object and append the key values in an env file. The value is the path to the file.

Outputs

Name Type Description
secret String SecretString as returned by AWS API
<key> String If keys-as-outputs, each json key of the secret will become an output

About

Github Action to read a secret value from AWS Secret Manager

Resources

License

Stars

Watchers

Forks

Packages

No packages published