Adapted from https://github.com/aasmal97/HashicorpVaultSecrets
Currently, Hashicorp Vault Secrets has a direct one-click intergation that links a Github Repo to an app of their choosing.
However, as highlighted by their documentation, there are severe limitations. For example:
- You can only sync secrets from a single Hashicorp Cloud Platform project
- You can only sync a single organization with a repository.
- This integration requires the Hashicorp Vault Secrets App to be installed and configured in your repository
- This is not possible if the repository lives in an organization and the user is not a Github organization owner/admin.
This action provides a solution for the aforementioned problems, by using a service principal on your HashiCorp Cloud Platform account, to programmatically access Hashicorp Vault secrets in a Github action runner, and pass them into your workflows.
Repository adapted from - aasmal97/HashicorpVaultSecrets
- You must be using a HCP Vault Secrets App
- You must be a HashiCorp Cloud Platform organization Admin or Owner
- Go here and login
- Go to your organization
- Go to Access Control IAM. Go to Service Principals and create a service principal account
name: Hashicorp Vault Secrets
uses: 3um-Group/[email protected]
with:
CLIENT_ID: ${{ secrets.HASHICORP_CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.HASHICORP_CLIENT_SECRET }}
ORGANIZATION_ID: "xxx"
PROJECT_ID: "xxx"
APP_NAME: "xxx"
SECRET_NAMES: '["EXAMPLE_NAME"]'
-
- This is the Organization Service Principal's generated CLIENT_ID acquired from your Hashicorp Portal.
-
- This is the Organization Service Principal's generated CLIENT_SECRET acquired from your Hashicorp Portal.
-
- This is the Organization ID that the Service Principal was created on. To access this, go to your organization settings
-
- This is the project ID that holds the apps where the secrets are stored. To access this, go to your project's settings
-
- This is the app name, that holds the secrets
-
- This is JSON Stringified List of the secret names you want to extract.
- To ensure your list of variables have the correct syntax, pass your array/list through a JSON.stringifier and pass the resulting string in here.
- Note: We use
JSON.parse
to parse this string into a list since GitHub Actions does not currently support a list input
-
-
The name of the
.env
file that you wish to generate. If your name contains a.
, your provided name will become the file name of the.env
file. If not, it will become the{name} + .env
For example:
mysecrets.env.local
as theGENERATE_ENV
value, becomesmysecrets.env.local
.mysecrets
as theGENERATE_ENV
value, becomesmysecrets.env
-
-
- If you want to grab all the secrets on the hashicorp vault secrets app, set this to
true
. By default, this isfalse
. If this is set, you do not need to setSECRET_NAMES
- If you want to grab all the secrets on the hashicorp vault secrets app, set this to
To use this action's output in subsequent workflow steps, ensure your id
from the running action step, is the key to the subsquent step.
steps:
- name: Hashicorp Vault Secrets
id: hashicorp-vault-secrets
uses: 3um-Group/[email protected]
with:
CLIENT_ID: ${{ secrets.HASHICORP_CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.HASHICORP_CLIENT_SECRET }}
ORGANIZATION_ID: "xxx"
PROJECT_ID: "xxx"
APP_NAME: "xxx"
SECRET_NAMES: '["EXAMPLE_NAME"]'
- name: Example Step
run: echo "The output value is ${{ steps.hashicorp-vault-secrets.outputs.EXAMPLE_NAME }}"
To use this, you must use the GENERATE_ENV
input.
steps:
- name: Hashicorp Vault Secrets
uses: 3um-Group/[email protected]
with:
CLIENT_ID: ${{ secrets.HASHICORP_CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.HASHICORP_CLIENT_SECRET }}
ORGANIZATION_ID: "xxx"
PROJECT_ID: "xxx"
APP_NAME: "xxx"
SECRET_NAMES: '["EXAMPLE_NAME"]'
GENERATE_ENV: "example.env"
- name: Check if example.env exists
shell: bash
run: |
if test -f /example.env; then
echo "File exists."
fi
steps:
- name: Hashicorp Vault Secrets
id: hashicorp-vault-secrets
uses: 3um-Group/[email protected]
with:
CLIENT_ID: ${{ secrets.HASHICORP_CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.HASHICORP_CLIENT_SECRET }}
ORGANIZATION_ID: "xxx"
PROJECT_ID: "xxx"
APP_NAME: "xxx"
ALL_SECRETS: true
- name: Example Step
run: echo "The output value is ${{ steps.hashicorp-vault-secrets.outputs.EXAMPLE_NAME }}"
- The service principal account must be configured at the Organization Level. This limitation is imposed by Hashicorp themselves, and until this changes, there can't be support for more granular access (i.e service principal for only a project).
- The
SECRET_NAMES
must be a string since list inputs are not supported by Github Actions. In the future, this may be changed, when Github supports list inputs natively. - This action can only run in ubuntu environments. It is not supported in darwin or mac. This is due primarily to ubuntu being the most common environment for Github action runners, but it is also due to my lack of hardware and time. However, in the future, support can be added if it is seen as a good or necessary feature.
Anyone is welcome to contribute, simply open an issue or pull request. When opening an issue, ensure you can reproduce the issue, and list the steps you took to reproduce it.
To run the development environment, ensure the following are configured properly, and your are running the appropiate commands.
- Docker installed on your machine. It will provide the virtual environment needed to run a Github Action
- nektos/act installed. This is the software that uses Docker to create a container, that resembles a Github Action Environment for testing
- Have a package manager installed (i.e, npm, yarn, etc)
- Create a Hashicorp Cloud Platform Account
- Go here and create an account
- Create a dummy organization
- Go to Access Control IAM, then go to Service Principals and create a dummy service principal account
- Save the Client ID and Client Secret values in a
my.secrets
file in the following pathtest/workflows/my.secrets
.nektos/act
will use this to run the virtual github action. - Note: The
my.secrets
file follows the same form/syntax as a regular.env
file.
- Save the Client ID and Client Secret values in a
- Create a dummy project in your organization
- Click on newly created dummy project, and go to Vault Secrets
- Go to Applications and create a dummy application
- Fill in the dummy application with dummy secrets
- Run
npm i
- Run
npm run dev