google-github-actions/get-secretmanager-secrets google-github-actions/get-secretmanager-secrets

  • Stars
    star
    111
  • Rank 314,510 (Top 7 %)
  • Language
    TypeScript
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
google-github-actions/get-secretmanager-secrets
github

google-github-actions

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A GitHub Action for accessing secrets from Google Secret Manager and making them available as outputs.

get-secretmanager-secrets

This action fetches secrets from Secret Manager and makes them available to later build steps via outputs. This is useful when you want Secret Manager to be the source of truth for secrets in your organization, but you need access to those secrets in build steps.

Secrets that are successfully fetched are set as output variables and can be used in subsequent actions. After a secret is accessed, its value is added to the mask of the build to reduce the chance of it being printed or logged by later steps.

This is not an officially supported Google product, and it is not covered by a Google Cloud support contract. To report bugs or request features in a Google Cloud product, please contact Google Cloud support.

Prerequisites

  • This action requires Google Cloud credentials that are authorized to access the secrets being requested. See Authorization for more information.

  • This action runs using Node 16. If you are using self-hosted GitHub Actions runners, you must use runner version 2.285.0 or newer.

Usage

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'
      with:
        secrets: |-
          token:my-project/docker-registry-token

    # Example of using the output
    - id: 'publish'
      uses: 'foo/bar@main'
      env:
        TOKEN: '${{ steps.secrets.outputs.token }}'

Inputs

  • secrets: (Required) The list of secrets to access and inject into the environment. Due to limitations with GitHub Actions inputs, this is specified as a string.

    You can specify multiple secrets by putting each secret on its own line:

    secrets: |-
  output1:my-project/my-secret1
  output2:my-project/my-secret2

    Secrets can be referenced using the following formats:

    # Long form
projects/<project-id>/secrets/<secret-id>/versions/<version-id>

# Long form - "latest" version
projects/<project-id>/secrets/<secret-id>

# Short form
<project-id>/<secret-id>/<version-id>

# Short form - "latest" version
<project-id>/<secret-id>

  • min_mask_length: (Optional, default: "4") Minimum line length for a secret to be masked. Extremely short secrets (e.g. "{" or "a") can make GitHub Actions log output unreadable. This is especially important for multi-line secrets, since each line of the secret is masked independently.

Outputs

Each secret is prefixed with an output name. The secret's resolved access value will be available at that output in future build steps.

For example:

jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'
      with:
        secrets: |-
          token:my-project/docker-registry-token

will be available in future steps as the output "token":

# other step
- id: 'publish'
  uses: 'foo/bar@main'
  env:
    TOKEN: '${{ steps.secrets.outputs.token }}'

Authorization

There are a few ways to authenticate this action. The caller must have permissions to access the secrets being requested.

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication.

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v3'

    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'

The action will automatically detect and use the Application Default Credentials.

More Repositories

1

setup-gcloud

A GitHub Action for installing and configuring the gcloud CLI.
TypeScript
1,658
star
2

release-please-action

automated releases based on conventional commits
TypeScript
1,413
star
3

auth

A GitHub Action for authenticating to Google Cloud.
TypeScript
807
star
4

deploy-cloudrun

A GitHub Action for deploying services to Google Cloud Run.
TypeScript
352
star
5

deploy-cloud-functions

A GitHub Action that deploys source code to Google Cloud Functions.
TypeScript
261
star
6

deploy-appengine

A GitHub Action that deploys source code to Google App Engine.
TypeScript
209
star
7

upload-cloud-storage

A GitHub Action for uploading files to a Google Cloud Storage (GCS) bucket.
TypeScript
176
star
8

get-gke-credentials

A GitHub Action that configure authentication to a GKE cluster.
TypeScript
82
star
9

ssh-compute

A GitHub Action to SSH into a Google Compute Engine instance.
TypeScript
40
star
10

example-workflows

Repository to demonstrate example workflows.
Go
29
star
11

run-vertexai-notebook

A GitHub Action for running a Google Cloud Vertex AI notebook.
17
star
12

create-cloud-deploy-release

A GitHub Action for creating releases via Cloud Deploy.
TypeScript
15
star
13

github-workflow-job-to-pubsub

Fulfills a GitHub workflow_job webhooks into a Pub/Sub queue.
Go
10
star
14

github-runner-token-proxy

Generate registration tokens for GitHub self-hosted runners without disclosing a privileged credential to the caller.
Go
7
star
15

setup-cloud-sdk

An NPM package for installing and configuring the Google Cloud SDK in GitHub Actions.
TypeScript
7
star
16

actions-utils

An NPM package for Google GitHub Actions utils.
TypeScript
6
star
17

test-infra

Test infrastructure for Google Github Actions.
HCL
5
star
18

.github

Default files for google-github-actions
JavaScript
4
star
19

send-google-chat-webhook

Go
3
star
20

analyze-code-security-scc

TypeScript
1
star
21

deploy-workflow

A GitHub Action for deploying Google Cloud Deploy workflows.
1
star