f229481670
* feat: kv v1 and engine path * doc: add custom version and engine path usage docs Co-authored-by: Richard Simpson <richardsimpson@outlook.com>
vault-action
A helper action for easily pulling secrets from the K/V backend of vault.
Expects Version 2 of the KV Secrets Engine by default.
Example Usage
jobs:
build:
# ...
steps:
# ...
- name: Import Secrets
uses: RichiCoder1/vault-action
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VaultToken }}
secrets: |
ci/aws accessKey | AWS_ACCESS_KEY_ID ;
ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
ci npm_token
# ...
Authentication method
The method parameter can have these value :
- token: (by default) you must provide a token parameter
...
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VaultToken }}
- approle: you must provide a roleId & secretId parameter
...
with:
url: https://vault.mycompany.com:8200
method: approle
roleId: ${{ secrets.roleId }}
secretId: ${{ secrets.secretId }}
Key Syntax
The secrets parameter is a set of multiple secret requests separated by the ; character.
Each secret request is comprised of the path and the key of the desired secret, and optionally the desired Env Var output name.
{{ Secret Path }} {{ Secret Key }} | {{ Output Environment Variable Name }}
Simple Key
To retrieve a key npmToken from path ci that has value somelongtoken from vault you could do:
with:
secrets: ci npmToken
vault-action will automatically normalize the given data key, and output:
NPMTOKEN=somelongtoken
Set Environment Variable Name
However, if you want to set it to a specific environmental variable, say NPM_TOKEN, you could do this instead:
with:
secrets: ci npmToken | NPM_TOKEN
With that, vault-action will now use your requested name and output:
NPM_TOKEN=somelongtoken
Multiple Secrets
This action can take multi-line input, so say you had your AWS keys stored in a path and wanted to retrieve both of them. You can do:
with:
secrets: |
ci/aws accessKey | AWS_ACCESS_KEY_ID ;
ci/aws secretKey | AWS_SECRET_ACCESS_KEY
Using K/V version 1
By default, vault-action expects a K/V engine using version 2.
In order to work with a v1 engine, the kv-version parameter may be passed:
with:
kv-version: 1
Custom Engine Path
When you enable the K/V Engine, by default it's placed at the path secret, so a secret named ci will be accessed from secret/ci. However, if you enabled the secrets engine using a custom path, you
can pass it as follows:
with:
path: my-secrets
secrets: ci npmToken
This way, the ci secret in the example above will be retrieved from my-secrets/ci.
Namespace
This action could be use with namespace Vault Enterprise feature. You can specify namespace in request :
steps:
# ...
- name: Import Secrets
uses: RichiCoder1/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VaultToken }}
namespace: ns1
secrets: |
ci/aws accessKey | AWS_ACCESS_KEY_ID ;
ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
ci npm_token
Masking
This action uses Github Action's built in masking, so all variables will automatically be masked if printed to the console or to logs.