This Action is deprecated. Instead, one can use azure/cli@v1 action and pass a custom script to it to access azure key vault.
With the Get Key Vault Secrets action, you can fetch secrets from an Azure Key Vault instance and consume in your GitHub Action workflows.
Get started today with a free Azure account!
The definition of this GitHub Action is in action.yml.
Secrets fetched will be set as outputs of the keyvault action instance and can be consumed in the subsequent actions in the workflow using the notation: ${{ steps.<Id-of-the-KeyVault-Action>.outputs.<Secret-Key> }}
. In addition, secrets are also set as environment variables. All the variables are automatically masked if printed to the console or to logs.
Refer to more Actions for Azure and Starter templates to easily automate your CICD workflows targeting Azure services using GitHub Action workflows.
- Authenticate using Azure Login with an Azure service principal, which also has Get, List permissions on the keyvault under consideration.
# File: .github/workflows/workflow.yml
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
# checkout the repo
- uses: actions/checkout@master
- uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- uses: Azure/get-keyvault-secrets@v1
with:
keyvault: "my
Vault"
secrets: 'mySecret' # comma separated list of secret keys that need to be fetched from the Key Vault
id: myGetSecretAction
To fetch the credentials required to authenticate with Azure, run the following command to generate an Azure Service Principal (SPN) with Contributor permissions:
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
--sdk-auth
# Replace {subscription-id}, {resource-group} with the subscription, resource group details of your keyvault
# The command should output a JSON object similar to this:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
Add the json output as a secret (let's say with the name AZURE_CREDENTIALS
) in the GitHub repository.
Provide explicit access policies on the above Azure service principal to be able to access your Key Vault for get
and list
operations. Use below command for that:
az keyvault set-policy -n $KV_NAME --secret-permissions get list --spn <clientId from the Azure SPN JSON>
For more details, refer to KeyVault Set-Policy.
Sample workflow which leverages the Key Vault action to fetch multiple secrets from the Key Vault and use them as credentials for the docker login action.
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
# checkout the repo
- uses: actions/checkout@master
- uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }} # Define secret variable in repository settings as per action documentation
- uses: Azure/get-keyvault-secrets@v1
with:
keyvault: "myKeyVault"
secrets: 'mySecret1, mySecret2'
id: myGetSecretAction
- uses: Azure/docker-login@v1
with:
login-server: mycontainer.azurecr.io
username: ${{ steps.myGetSecretAction.outputs.mySecret1 }}
password: ${{ steps.myGetSecretAction.outputs.mySecret2 }}
- run: |
cd go-sample
docker build . -t my.azurecr.io/myimage:${{ github.sha }}
docker push my.azurecr.io/myimage:${{ github.sha }}
cd ..
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.