diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 164033f..7af07c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,283 +6,282 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: '20.9.0' + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: "20.9.0" - - name: Setup NPM Cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + - name: Setup NPM Cache + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- - - name: NPM Install - run: npm ci + - name: NPM Install + run: npm ci - - name: NPM Build - run: npm run build + - name: NPM Build + run: npm run build - - name: NPM Run Test - run: npm run test + - name: NPM Run Test + run: npm run test integrationOSS: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - name: Run docker-compose - run: docker-compose up -d vault + - name: Run docker compose + run: docker compose up -d vault - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: '20.9.0' + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: "20.9.0" - - name: Setup NPM Cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + - name: Setup NPM Cache + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- - - name: NPM Install - run: npm ci + - name: NPM Install + run: npm ci - - name: NPM Build - run: npm run build + - name: NPM Build + run: npm run build - - name: NPM Run test;integration:basic - run: npm run test:integration:basic - env: - VAULT_HOST: localhost - VAULT_PORT: 8200 - CI: true + - name: NPM Run test;integration:basic + run: npm run test:integration:basic + env: + VAULT_HOST: localhost + VAULT_PORT: 8200 + CI: true integrationEnterprise: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - name: Run docker-compose - run: docker-compose up -d vault-enterprise - env: - VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} + - name: Run docker compose + run: docker compose up -d vault-enterprise + env: + VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }} - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: '20.9.0' + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: "20.9.0" - - name: Setup NPM Cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + - name: Setup NPM Cache + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- - - name: NPM Install - run: npm ci + - name: NPM Install + run: npm ci - - name: NPM Build - run: npm run build + - name: NPM Build + run: npm run build - - name: NPM Run test:integration:enterprise - run: npm run test:integration:enterprise - env: - VAULT_HOST: localhost - VAULT_PORT: 8200 - CI: true + - name: NPM Run test:integration:enterprise + run: npm run test:integration:enterprise + env: + VAULT_HOST: localhost + VAULT_PORT: 8200 + CI: true e2e: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - name: Run docker-compose - run: docker-compose up -d vault + - name: Run docker compose + run: docker compose up -d vault - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: '20.9.0' + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: "20.9.0" - - name: Setup NPM Cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + - name: Setup NPM Cache + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- - - name: NPM Install - run: npm ci + - name: NPM Install + run: npm ci - - name: NPM Build - run: npm run build + - name: NPM Build + run: npm run build - - name: Setup Vault - run: node ./integrationTests/e2e/setup.js - env: - VAULT_HOST: localhost - VAULT_PORT: 8200 + - name: Setup Vault + run: node ./integrationTests/e2e/setup.js + env: + VAULT_HOST: localhost + VAULT_PORT: 8200 - - name: Test Vault Action (default KV V2) - uses: ./ - id: kv-secrets - with: - url: http://localhost:8200 - token: testtoken - secrets: | - secret/data/test secret ; - secret/data/test secret | NAMED_SECRET ; - secret/data/nested/test otherSecret ; + - name: Test Vault Action (default KV V2) + uses: ./ + id: kv-secrets + with: + url: http://localhost:8200 + token: testtoken + secrets: | + secret/data/test secret ; + secret/data/test secret | NAMED_SECRET ; + secret/data/nested/test otherSecret ; - - name: Test Vault Action (default KV V1) - uses: ./ - with: - url: http://localhost:8200 - token: testtoken - secrets: | - my-secret/test altSecret ; - my-secret/test altSecret | NAMED_ALTSECRET ; - my-secret/nested/test otherAltSecret ; + - name: Test Vault Action (default KV V1) + uses: ./ + with: + url: http://localhost:8200 + token: testtoken + secrets: | + my-secret/test altSecret ; + my-secret/test altSecret | NAMED_ALTSECRET ; + my-secret/nested/test otherAltSecret ; - - name: Test Vault Action (cubbyhole) - uses: ./ - with: - url: http://localhost:8200 - token: testtoken - secrets: | - /cubbyhole/test foo ; - /cubbyhole/test zip | NAMED_CUBBYSECRET ; + - name: Test Vault Action (cubbyhole) + uses: ./ + with: + url: http://localhost:8200 + token: testtoken + secrets: | + /cubbyhole/test foo ; + /cubbyhole/test zip | NAMED_CUBBYSECRET ; - # The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters - # They should come before the Verify Vault Action Outputs step - - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2) - uses: ./ - with: - url: http://localhost:8200/ - token: testtoken - secrets: | - secret/data/test secret | SUBSEQUENT_TEST_SECRET; + # The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters + # They should come before the Verify Vault Action Outputs step + - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2) + uses: ./ + with: + url: http://localhost:8200/ + token: testtoken + secrets: | + secret/data/test secret | SUBSEQUENT_TEST_SECRET; - - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2) - uses: ./ - with: - url: http://localhost:8200/ - token: testtoken - secrets: | - secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET; + - name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2) + uses: ./ + with: + url: http://localhost:8200/ + token: testtoken + secrets: | + secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET; - - name: Test JSON Secrets - uses: ./ - with: - url: http://localhost:8200 - token: testtoken - secrets: | - secret/data/test-json-data jsonData; - secret/data/test-json-string jsonString; - secret/data/test-json-string-multiline jsonStringMultiline; - - - name: Verify Vault Action Outputs - run: npm run test:integration:e2e - env: - OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }} + - name: Test JSON Secrets + uses: ./ + with: + url: http://localhost:8200 + token: testtoken + secrets: | + secret/data/test-json-data jsonData; + secret/data/test-json-string jsonString; + secret/data/test-json-string-multiline jsonStringMultiline; + - name: Verify Vault Action Outputs + run: npm run test:integration:e2e + env: + OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }} e2e-tls: runs-on: ubuntu-latest steps: - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - name: Run docker-compose - run: docker-compose up -d vault-tls + - name: Run docker compose + run: docker compose up -d vault-tls - - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: '20.9.0' + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: "20.9.0" - - name: Setup NPM Cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- + - name: Setup NPM Cache + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- - - name: NPM Install - run: npm ci + - name: NPM Install + run: npm ci - - name: NPM Build - run: npm run build + - name: NPM Build + run: npm run build - - name: Setup Vault - run: node ./integrationTests/e2e-tls/setup.js - env: - VAULT_HOST: localhost - VAULT_PORT: 8200 - VAULTCA: ${{ secrets.VAULTCA }} - VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }} - VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }} + - name: Setup Vault + run: node ./integrationTests/e2e-tls/setup.js + env: + VAULT_HOST: localhost + VAULT_PORT: 8200 + VAULTCA: ${{ secrets.VAULTCA }} + VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }} + VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }} - - name: Test Vault Action (default KV V2) - uses: ./ - id: kv-secrets-tls - with: - url: https://localhost:8200 - token: ${{ env.VAULT_TOKEN }} - caCertificate: ${{ secrets.VAULTCA }} - clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} - clientKey: ${{ secrets.VAULT_CLIENT_KEY }} - secrets: | - secret/data/test secret ; - secret/data/test secret | NAMED_SECRET ; - secret/data/nested/test otherSecret ; + - name: Test Vault Action (default KV V2) + uses: ./ + id: kv-secrets-tls + with: + url: https://localhost:8200 + token: ${{ env.VAULT_TOKEN }} + caCertificate: ${{ secrets.VAULTCA }} + clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} + clientKey: ${{ secrets.VAULT_CLIENT_KEY }} + secrets: | + secret/data/test secret ; + secret/data/test secret | NAMED_SECRET ; + secret/data/nested/test otherSecret ; - - name: Test Vault Action (tlsSkipVerify) - uses: ./ - with: - url: https://localhost:8200 - token: ${{ env.VAULT_TOKEN }} - tlsSkipVerify: true - clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} - clientKey: ${{ secrets.VAULT_CLIENT_KEY }} - secrets: | - secret/data/tlsSkipVerify skip ; + - name: Test Vault Action (tlsSkipVerify) + uses: ./ + with: + url: https://localhost:8200 + token: ${{ env.VAULT_TOKEN }} + tlsSkipVerify: true + clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} + clientKey: ${{ secrets.VAULT_CLIENT_KEY }} + secrets: | + secret/data/tlsSkipVerify skip ; - - name: Test Vault Action (default KV V1) - uses: ./ - with: - url: https://localhost:8200 - token: ${{ env.VAULT_TOKEN }} - caCertificate: ${{ secrets.VAULTCA }} - clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} - clientKey: ${{ secrets.VAULT_CLIENT_KEY }} - secrets: | - my-secret/test altSecret ; - my-secret/test altSecret | NAMED_ALTSECRET ; - my-secret/nested/test otherAltSecret ; + - name: Test Vault Action (default KV V1) + uses: ./ + with: + url: https://localhost:8200 + token: ${{ env.VAULT_TOKEN }} + caCertificate: ${{ secrets.VAULTCA }} + clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} + clientKey: ${{ secrets.VAULT_CLIENT_KEY }} + secrets: | + my-secret/test altSecret ; + my-secret/test altSecret | NAMED_ALTSECRET ; + my-secret/nested/test otherAltSecret ; - - name: Test Vault Action (cubbyhole) - uses: ./ - with: - url: https://localhost:8200 - token: ${{ env.VAULT_TOKEN }} - secrets: | - /cubbyhole/test foo ; - /cubbyhole/test zip | NAMED_CUBBYSECRET ; - caCertificate: ${{ secrets.VAULTCA }} - clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} - clientKey: ${{ secrets.VAULT_CLIENT_KEY }} + - name: Test Vault Action (cubbyhole) + uses: ./ + with: + url: https://localhost:8200 + token: ${{ env.VAULT_TOKEN }} + secrets: | + /cubbyhole/test foo ; + /cubbyhole/test zip | NAMED_CUBBYSECRET ; + caCertificate: ${{ secrets.VAULTCA }} + clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }} + clientKey: ${{ secrets.VAULT_CLIENT_KEY }} - - name: Verify Vault Action Outputs - run: npm run test:integration:e2e-tls - env: - OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }} + - name: Verify Vault Action Outputs + run: npm run test:integration:e2e-tls + env: + OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }} diff --git a/Makefile b/Makefile index fef4953..137dbdb 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,3 @@ .PHONY: local-test local-test: - docker compose down; docker-compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml + docker compose down; docker compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml diff --git a/README.md b/README.md index c142b9f..8cd6773 100644 --- a/README.md +++ b/README.md @@ -46,46 +46,51 @@ is not meant to modify Vault’s state. ```yaml jobs: - build: - # ... - steps: - # ... - - name: Import Secrets - id: import-secrets - uses: hashicorp/vault-action@v2 - with: - url: https://vault.mycompany.com:8200 - token: ${{ secrets.VAULT_TOKEN }} - caCertificate: ${{ secrets.VAULT_CA_CERT }} - secrets: | - secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; - secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ; - secret/data/ci npm_token - # ... + build: + # ... + steps: + # ... + - name: Import Secrets + id: import-secrets + uses: hashicorp/vault-action@v2 + with: + url: https://vault.mycompany.com:8200 + token: ${{ secrets.VAULT_TOKEN }} + caCertificate: ${{ secrets.VAULT_CA_CERT }} + secrets: | + secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; + secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ; + secret/data/ci npm_token + # ... ``` Retrieved secrets are available as environment variables or outputs for subsequent steps: + ```yaml #... - - name: Step following 'Import Secrets' - run: | - ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}" - SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}" - # ... +- name: Step following 'Import Secrets' + run: | + ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}" + SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}" + +# ... ``` -If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format. +If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format. For example, a common pattern is to save all the secrets in a JSON file: + ```yaml #... - - name: Step following 'Import Secrets' - run: | - touch secrets.json - echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json - # ... +- name: Step following 'Import Secrets' + run: | + touch secrets.json + echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json + +# ... ``` Which with our example would yield a file containing: + ```json { "ACCESS_KEY_ID": "MY_KEY_ID", @@ -96,7 +101,6 @@ Which with our example would yield a file containing: Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a `***` placeholder. - ## Authentication Methods Consider using a [Vault authentication method](https://www.vaultproject.io/docs/auth) such as the JWT auth method with @@ -110,7 +114,7 @@ and Vault using the Each GitHub Actions workflow receives an auto-generated OIDC token with claims to establish the identity of the workflow. -__Vault Configuration__ +**Vault Configuration**
Click to toggle instructions for configuring Vault. @@ -121,7 +125,6 @@ Pass the following parameters to your auth method configuration: - `oidc_discovery_url`: `https://token.actions.githubusercontent.com` - `bound_issuer`: `https://token.actions.githubusercontent.com` - Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) for the auth method. - `role_type`: `jwt` @@ -137,12 +140,12 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f - For wildcard (non-exact) matches, use `bound_claims`. - - `bound_claims_type`: `glob` + - `bound_claims_type`: `glob` - - `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values. - ```json - {"sub": "repo:/*"} - ``` + - `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values. + ```json + { "sub": "repo:/*" } + ``` - For exact matches, use `bound_subject`. @@ -155,17 +158,17 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
-__GitHub Actions Workflow__ +**GitHub Actions Workflow** In the GitHub Actions workflow, the workflow needs permissions to read contents and write the ID token. ```yaml jobs: - retrieve-secret: - permissions: - contents: read - id-token: write + retrieve-secret: + permissions: + contents: read + id-token: write ``` In the action, provide the name of the Vault role you created to the `role` parameter. @@ -320,7 +323,7 @@ with: The `secrets` parameter is a set of multiple secret requests separated by the `;` character. -Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name. +Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name. Note that the selector is using [JSONata](https://docs.jsonata.org/overview.html) and certain characters in keys may need to be escaped. ```raw @@ -333,7 +336,7 @@ To retrieve a key `npmToken` from path `secret/data/ci` that has value `somelong ```yaml with: - secrets: secret/data/ci npmToken + secrets: secret/data/ci npmToken ``` `vault-action` will automatically normalize the given secret selector key, and set the follow as environment variables for the following steps in the current job: @@ -346,12 +349,12 @@ You can also access the secret via outputs: ```yaml steps: - # ... - - name: Import Secrets - id: secrets - # Import config... - - name: Sensitive Operation - run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'" + # ... + - name: Import Secrets + id: secrets + # Import config... + - name: Sensitive Operation + run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'" ``` _**Note:** If you'd like to only use outputs and disable automatic environment variables, you can set the `exportEnv` option to `false`._ @@ -362,7 +365,7 @@ However, if you want to set it to a specific name, say `NPM_TOKEN`, you could do ```yaml with: - secrets: secret/data/ci npmToken | NPM_TOKEN + secrets: secret/data/ci npmToken | NPM_TOKEN ``` With that, `vault-action` will now use your requested name and output: @@ -379,7 +382,6 @@ steps: # Import config... - name: Sensitive Operation run: "my-cli --token '${{ steps.secrets.outputs.NPM_TOKEN }}'" - ``` ### Multiple Secrets @@ -388,16 +390,17 @@ This action can take multi-line input, so say you had your AWS keys stored in a ```yaml with: - secrets: | - secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; - secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY + secrets: | + secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; + secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ``` -You can specify a wildcard * for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name: + +You can specify a wildcard \* for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name: ```yaml with: - secrets: | - secret/data/ci/aws * | MYAPP_ ; + secrets: | + secret/data/ci/aws * | MYAPP_ ; ``` ### KV secrets engine version 2 @@ -450,9 +453,9 @@ For example, to request a secret from the `cubbyhole` secret engine: ```yaml with: - secrets: | - /cubbyhole/foo foo ; - /cubbyhole/foo zip | MY_KEY ; + secrets: | + /cubbyhole/foo foo ; + /cubbyhole/foo zip | MY_KEY ; ``` Resulting in: @@ -480,12 +483,12 @@ If you ever need to add extra headers to the vault request, say if you need to a ```yaml with: - secrets: | - secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; - secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY - extraHeaders: | - X-Secure-Id: ${{ secrets.SECURE_ID }} - X-Secure-Secret: ${{ secrets.SECURE_SECRET }} + secrets: | + secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; + secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY + extraHeaders: | + X-Secure-Id: ${{ secrets.SECURE_ID }} + X-Secure-Secret: ${{ secrets.SECURE_SECRET }} ``` This will automatically add the `x-secure-id` and `x-secure-secret` headers to every request to Vault. @@ -503,18 +506,18 @@ parameter specifying the namespace. In HCP Vault, the namespace defaults to `adm ```yaml steps: - # ... - - name: Import Secrets - uses: hashicorp/vault-action - with: - url: https://vault-enterprise.mycompany.com:8200 - method: token - token: ${{ secrets.VAULT_TOKEN }} - namespace: admin - secrets: | - secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; - secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ; - secret/data/ci npm_token + # ... + - name: Import Secrets + uses: hashicorp/vault-action + with: + url: https://vault-enterprise.mycompany.com:8200 + method: token + token: ${{ secrets.VAULT_TOKEN }} + namespace: admin + secrets: | + secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; + secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ; + secret/data/ci npm_token ``` Alternatively, you may need to authenticate to the root namespace and retrieve @@ -523,17 +526,17 @@ parameter. Instead set the namespace in the secret path. For example, `