Skip to content
Use this GitHub Action with your project

Add this Action to an existing workflow or create a new one.

View on Marketplace
main
Switch branches/tags
8 branches 9 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
 
 
dist
 
 
src
 
 
tests
 
 
.eslintrc.js
 
 
.gitignore
 
 
.prettierrc.js
 
 
CHANGELOG.md
 
 
CODEOWNERS
 
 
CONTRIBUTING.md
 
 
LICENSE
 
 
README.md
 
 
action.yml
 
 
package-lock.json
 
 
package.json
 
 
tsconfig.json
 
 
get-secretmanager-secrets Prerequisites Usage Inputs Outputs Authorization Via google-github-actions/auth Authenticating via Workload Identity Federation Authenticating via Service Account Key JSON Via Application Default Credentials

README.md

get-secretmanager-secrets

This action fetches secrets from Secret Manager and makes them available to later build steps via outputs. This is useful when you want Secret Manager to be the source of truth for secrets in your organization, but you need access to those secrets in build steps.

Secrets that are successfully fetched are set as output variables and can be used in subsequent actions. After a secret is accessed, its value is added to the mask of the build to reduce the chance of it being printed or logged by later steps.

Prerequisites

  • This action requires Google Cloud credentials that are authorized to access the secrets being requested. See the Authorization section below for more information.

Usage

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v0'
      with:
        secrets: |-
          token:my-project/docker-registry-token

    # Example of using the output
    - id: 'publish'
      uses: 'foo/bar@master'
      env:
        TOKEN: '${{ steps.secrets.outputs.token }}'

Inputs

  • secrets: (Required) The list of secrets to access and inject into the environment. Due to limitations with GitHub Actions inputs, this is specified as a string.

    You can specify multiple secrets by putting each secret on its own line:

    secrets: |-
  output1:my-project/my-secret1
  output2:my-project/my-secret2

    Secrets can be referenced using the following formats:

    # Long form
projects/<project-id>/secrets/<secret-id>/versions/<version-id>

# Long form - "latest" version
projects/<project-id>/secrets/<secret-id>

# Short form
<project-id>/<secret-id>/<version-id>

# Short form - "latest" version
<project-id>/<secret-id>

  • credentials: (Deprecated) This input is deprecated. See auth section for more details. Google Service Account JSON credentials, typically sourced from a GitHub Secret.

Outputs

Each secret is prefixed with an output name. The secret's resolved access value will be available at that output in future build steps.

For example:

jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v0'
      with:
        secrets: |-
          token:my-project/docker-registry-token

will be available in future steps as the output "token":

# other step
- id: 'publish'
  uses: 'foo/bar@master'
  env:
    TOKEN: '${{ steps.secrets.outputs.token }}'

Authorization

There are a few ways to authenticate this action. The caller must have permissions to access the secrets being requested.

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication. by specifying the credentials input. This Action supports both the recommended Workload Identity Federation based authentication and the traditional Service Account Key JSON based auth.

See usage for more details.

Authenticating via Workload Identity Federation

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v2'

    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v0'
      with:
        secrets: |-
          token:my-project/docker-registry-token

Authenticating via Service Account Key JSON

jobs:
  job_id:
    steps:
    - uses: 'actions/checkout@v2'

    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        credentials_json: '${{ secrets.gcp_credentials }}'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v0'
      with:
        secrets: |-
          token:my-project/docker-registry-token

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v0'

The action will automatically detect and use the Application Default Credentials.

About

This action fetches secrets from Secret Manager and makes them available to later build steps via outputs.

Topics

actions gcp google-cloud secrets google-cloud-platform github-actions google-secret-manager secret-manager

Resources

Readme

License

Apache-2.0 License

Stars

37 stars

Watchers

6 watching

Forks

13 forks

Releases 7

get-secretmanager-secrets v0.4.0 Latest
Dec 22, 2021
+ 6 releases

Contributors 7

Languages