From 270f8f6e36d2c1eb582aae4e0c83018d10d5fdef Mon Sep 17 00:00:00 2001 From: maxcoulombe Date: Thu, 2 Mar 2023 15:37:53 -0500 Subject: [PATCH] + added documentation on how to use the retrieved secrets + added an example of converting the vault-action outputs to json --- README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/README.md b/README.md index c2a6c7f..f01a059 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ jobs: steps: # ... - name: Import Secrets + id: import-secrets uses: hashicorp/vault-action@v2 with: url: https://vault.mycompany.com:8200 @@ -56,6 +57,39 @@ jobs: # ... ``` +Retrieved secrets are available as environment variables or outputs for subsequent steps: +```yaml +#... + - name: Step following 'Import Secrets' + run: | + ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}" + SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}" + # ... +``` + +If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format. +For example, a common pattern is to save all the secrets in a JSON file: +```yaml +#... + - name: Step following 'Import Secrets' + run: | + touch secrets.json + echo "${{ toJson(steps.import-secrets.outputs) }}" >> secrets.json + # ... +``` + +Which with our example would yield a file containing: +```json +{ + "ACCESS_KEY_ID": "MY_KEY_ID", + "SECRET_ACCESS_KEY": "MY_SECRET_KEY", + "NPM_TOKEN": "MY_NPM_TOKEN" +} +``` + +Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a `***` placeholder. + + ## Authentication Methods Consider using a [Vault authentication method](https://www.vaultproject.io/docs/auth) such as the JWT auth method with