Skip to content

A GitHub Action that simplifies using HashiCorp Vault™ secrets as build variables.

License

Notifications You must be signed in to change notification settings

hashicorp/vault-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

6784ab3 · Sep 20, 2019

History

30 Commits
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019
Sep 20, 2019

Repository files navigation

vault-action

A helper action for easily pulling secrets from the v2 K/V backend of vault.

Example Usage

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              uses: RichiCoder1/vault-action
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VaultToken }}
                secrets: |
                    ci/aws accessKey | AWS_ACCESS_KEY_ID ;
                    ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
                    ci npm_token
            # ...

Key Syntax

The secrets parameter is a set of multiple secret requests separated by the ; character.

Each secret request is comprised of the path and the key of the desired secret, and optionally the desired Env Var output name.

{{ Secret Path }} {{ Secret Key }} | {{ Output Environment Variable Name }}

Simple Key

To retrieve a key npmToken from path ci that has value somelongtoken from vault you could do:

with:
    secrets: ci npmToken

vault-action will automatically normalize the given data key, and output:

NPMTOKEN=somelongtoken

Set Environment Variable Name

However, if you want to set it to a specific environmental variable, say NPM_TOKEN, you could do this instead:

with:
    secrets: ci npmToken | NPM_TOKEN

With that, vault-action will now use your requested name and output:

NPM_TOKEN=somelongtoken

Multiple Secrets

This action can take multi-line input, so say you had your AWS keys stored in a path and wanted to retrieve both of them. You can do:

with:
    keys: |
        ci/aws accessKey | AWS_ACCESS_KEY_ID ;
        ci/aws secretKey | AWS_SECRET_ACCESS_KEY

Masking

This action uses Github Action's built in masking, so all variables will automatically be masked if printed to the console or to logs.