mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 07:06:56 +00:00

A GitHub Action that simplifies using HashiCorp Vault™ secrets as build variables.

github-actions github-actions-javascript multiple-secrets secrets-engine vault vault-action

Find a file

Richard Simpson ab4dc55b2e fix: actually build namespace changes		2020-01-09 10:31:15 -06:00
.github/workflows	chore(test): organize tests a bit better (#7 )	2019-11-24 16:00:31 -06:00
dist	fix: actually build namespace changes	2020-01-09 10:31:15 -06:00
integrationTests	chore(test): organize tests a bit better (#7 )	2019-11-24 16:00:31 -06:00
.gitignore	Initial commit	2019-09-20 12:33:19 -05:00
action.js	feat(namespace): handle request on vault namespace (#5 )	2019-11-24 15:21:11 -06:00
action.test.js	feat: simplify input parameters and docs	2019-09-20 17:56:08 -05:00
action.yml	feat(namespace): handle request on vault namespace (#5 )	2019-11-24 15:21:11 -06:00
docker-compose.yml	chore(test): organize tests a bit better (#7 )	2019-11-24 16:00:31 -06:00
index.js	feat: add initial code logic	2019-09-20 15:09:58 -05:00
jest.config.js	chore(test): organize tests a bit better (#7 )	2019-11-24 16:00:31 -06:00
jsconfig.json	feat: add initial code logic	2019-09-20 15:09:58 -05:00
LICENSE	Initial commit	2019-09-20 12:33:19 -05:00
package-lock.json	chore(deps): bump handlebars from 4.2.1 to 4.5.3 (#9 )	2019-12-29 21:04:07 -06:00
package.json	chore(test): organize tests a bit better (#7 )	2019-11-24 16:00:31 -06:00
README.md	feat(namespace): handle request on vault namespace (#5 )	2019-11-24 15:21:11 -06:00

README.md

vault-action

A helper action for easily pulling secrets from the default v2 K/V backend of vault.

Example Usage

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              uses: RichiCoder1/vault-action
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VaultToken }}
                secrets: |
                    ci/aws accessKey | AWS_ACCESS_KEY_ID ;
                    ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
                    ci npm_token                    
            # ...

Key Syntax

The secrets parameter is a set of multiple secret requests separated by the ; character.

Each secret request is comprised of the path and the key of the desired secret, and optionally the desired Env Var output name.

{{ Secret Path }} {{ Secret Key }} | {{ Output Environment Variable Name }}

Simple Key

To retrieve a key npmToken from path ci that has value somelongtoken from vault you could do:

with:
    secrets: ci npmToken

vault-action will automatically normalize the given data key, and output:

NPMTOKEN=somelongtoken

Set Environment Variable Name

However, if you want to set it to a specific environmental variable, say NPM_TOKEN, you could do this instead:

with:
    secrets: ci npmToken | NPM_TOKEN

With that, vault-action will now use your requested name and output:

NPM_TOKEN=somelongtoken

Multiple Secrets

This action can take multi-line input, so say you had your AWS keys stored in a path and wanted to retrieve both of them. You can do:

with:
    secrets: |
        ci/aws accessKey | AWS_ACCESS_KEY_ID ;
        ci/aws secretKey | AWS_SECRET_ACCESS_KEY

Namespace

This action could be use with namespace Vault Enterprise feature. You can specify namespace in request :

steps:
    # ...
    - name: Import Secrets
      uses: RichiCoder1/vault-action
      with:
        url: https://vault-enterprise.mycompany.com:8200
        token: ${{ secrets.VaultToken }}
        namespace: ns1
        secrets: |
            ci/aws accessKey | AWS_ACCESS_KEY_ID ;
            ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
            ci npm_token

Masking

This action uses Github Action's built in masking, so all variables will automatically be masked if printed to the console or to logs.