vault-action
A helper action for retrieving vault secrets as env vars.
Example Usage
jobs:
build:
# ...
steps:
# ...
- name: Import Secrets
uses: richicoder1/vault-action
with:
vaultUrl: https://vault.mycompany.com
vaultToken: ${{ secrets.VaultToken }}
keys: |
ci_key ;
ci/aws > $.accessKey | AWS_ACCESS_KEY_ID ;
ci/aws > $.secretKey | AWS_SECRET_ACCESS_KEY ;
ci/npm_token | NPM_TOKEN
# ...
Key Syntax
The keys parameter is multiple keys separated by the ; character.
Each key is comprised of the path of they key, and optionally a JSONPath expression and an output name.
{{ Key Path }} > {{ JSONPath Query }} | {{ Output Environment Variable Name }}
Simple Key
To retrieve a key ci/npm_token that has value somelongtoken from vault you could do:
with:
keys: ci/npm_token
vault-action will automatically normalize the given path, and output:
CI__NPM_TOKEN=somelongtoken
Set Environment Variable Name
However, if you want to set it to a specific environmental variable, say NPM_TOKEN, you could do this instead:
with:
keys: ci/npm_token | NPM_TOKEN
With that, vault-action will now use your request name and output:
NPM_TOKEN=somelongtoken
JSON Key
Say you are storing a set of AWS keys as a JSON document in Vault like so:
{
"accessKey": "AKIAIOSFODNN7EXAMPLE",
"secretKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
And you want to set them to AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY respectively so you could use the AWS CLI:
with:
keys: |
ci/aws > $.accessKey | AWS_ACCESS_KEY_ID ;
ci/aws > $.secretKey | AWS_SECRET_ACCESS_KEY
This would output:
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Masking
This action uses Github Action's built in masking, so all variables will automatically be masked if printed to the console or to logs.