Azure Key Vault Secrets in GitHub Actions
How to use Azure Key Vault Secrets in GitHub Workflows
The fundamental rule to a secret is to not share a secret. Once shared it's more likely going to be shared again and in an unsecure format, but how do we keep a secret a secret?
When it comes to Cloud technology we can use resources that store our sensitive information in a secure environment. For example, Azure Key Vault allows us to store secrets, certificates and keys where we can set access control using authentication methods like Azure AD.
But when we add secrets into a secure resource like Key Vault, how do we access them when running deployments?
In this blog post I will be covering how we get the secrets from an Azure Key Vault for a deployment in GitHub Actions.
GitHub Workflow
We will need login to Azure using the Azure CLI. The first workflow step will be the following:
- name: Azure CLI Login
uses: Azure/login@v1.1
with:
creds: '{"clientId":"${{ secrets.AZ_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_SUBID }}","tenantId":"${{ secrets.AZ_TENANT_ID }}"}'
The following are GitHub Secret values that need to exists before running the workflow:
AZ_CLIENT_ID - Service Principal Client ID
AZ_CLIENT_SECRET - Service Principal Client Secret
AZ_SUBID - The Subscription ID you are connecting to as part of this workflow
AZ_TENANT_ID - The Tenant ID where the Service Principal exists
Once logged via the Azure CLI, we will utilise the Get Key Vault Secrets GitHub Action where we will specify the Key Vault name and the Secrets we want:
- name: Azure Key Vault Secrets
id: azurekeyvault
uses: Azure/get-keyvault-secrets@v1
with:
keyvault: "MyVaultName"
secrets: 'MyFirstSecret, MySecondSecret, MyThirdSecret'
You would replace the following values with your own:
MyVaultName - You would replace this with the name of your Key Vault
MyFirstSecret, MySecondSecret, My ThirdSecret - Replace these with the name of the secrets in your Key Vault (not the values).
Now when you want to use these secrets in the workflow, you just need to use the following format:
steps.azurekeyvault.outputs.MyFirstSecret
Replace the following for your configuration:
azurekeyvault - This would be the id of the Key Vault action
MyFirstSecret - Replace this with one of the secret names you listed to get
Service Principal Access
The above workflow uses a Service Principal to connect to Azure. It would be used to access the Azure Key Vault and will require access permissions to access the secrets. You can do this within the Key Vault itself, either by using RBAC or Access Control (depending on what authentication method you set for the Key Vault).
The GitHub Action only gets the secret from Azure Key Vault, meaning you only need to set permissions with the minimum to be able to get the specified secret you want.
Example Usage
Below are some examples of using the above Azure Key Vault action to use secrets within other actions.
Terraform
- name: Install Terraform
uses: hashicorp/setup-terraform@main
with:
terraform_version: latest
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Plan
id: plan
run: terraform plan
continue-on-error: true
env:
TF_VAR_az_tenant_id: ${{ secrets.AZ_TENANT_ID }}
TF_VAR_MyFirstSecret: ${{ steps.azurekeyvault.outputs.MyFirstSecret }}
TF_VAR_MySecondSecret: ${{ steps.azurekeyvault.outputs.MySecondSecret }}
Docker
- name: Docker Login
uses: azure/docker-login@v1
with:
login-server: myregistry.azurecr.io
username: ${{ steps.azurekeyvault.outputs.MySecondSecret }}
password: ${{ steps.azurekeyvault.outputs.MyThirdSecret }}