Azure Key Vault Secrets in GitHub Actions

The fundamental rule to a secret is to not share a secret. Once shared it's more likely going to be shared again and in an unsecure format, but how do we keep a secret a secret?

When it comes to Cloud technology we can use resources that store our sensitive information in a secure environment. For example, Azure Key Vault allows us to store secrets, certificates and keys where we can set access control using authentication methods like Azure AD.

But when we add secrets into a secure resource like Key Vault, how do we access them when running deployments?

In this blog post I will be covering how we get the secrets from an Azure Key Vault for a deployment in GitHub Actions.

GitHub Workflow

We will need login to Azure using the Azure CLI. The first workflow step will be the following:

      - name: Azure CLI Login        uses: Azure/[email protected]        with:          creds: '{"clientId":"${{ secrets.AZ_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_SUBID }}","tenantId":"${{ secrets.AZ_TENANT_ID }}"}'

The following are GitHub Secret values that need to exists before running the workflow:

AZ_CLIENT_ID - Service Principal Client ID

AZ_CLIENT_SECRET - Service Principal Client Secret

AZ_SUBID - The Subscription ID you are connecting to as part of this workflow

AZ_TENANT_ID - The Tenant ID where the Service Principal exists

Once logged via the Azure CLI, we will utilise the Get Key Vault Secrets GitHub Action where we will specify the Key Vault name and the Secrets we want:

      - name: Azure Key Vault Secrets        id: azurekeyvault        uses: Azure/get-keyvault-secrets@v1        with:          keyvault: "MyVaultName"          secrets: 'MyFirstSecret, MySecondSecret, MyThirdSecret'

You would replace the following values with your own:

MyVaultName - You would replace this with the name of your Key Vault

MyFirstSecret, MySecondSecret, My ThirdSecret - Replace these with the name of the secrets in your Key Vault (not the values).

Now when you want to use these secrets in the workflow, you just need to use the following format:

steps.azurekeyvault.outputs.MyFirstSecret

Replace the following for your configuration:

azurekeyvault - This would be the id of the Key Vault action

MyFirstSecret - Replace this with one of the secret names you listed to get

Service Principal Access

The above workflow uses a Service Principal to connect to Azure. It would be used to access the Azure Key Vault and will require access permissions to access the secrets. You can do this within the Key Vault itself, either by using RBAC or Access Control (depending on what authentication method you set for the Key Vault).

The GitHub Action only gets the secret from Azure Key Vault, meaning you only need to set permissions with the minimum to be able to get the specified secret you want.

Example Usage

Below are some examples of using the above Azure Key Vault action to use secrets within other actions.

Terraform

      - name: Install Terraform        uses: hashicorp/setup-terraform@main        with:          terraform_version: latest      - name: Terraform Init        id: init        run: terraform init      - name: Terraform Plan        id: plan        run: terraform plan        continue-on-error: true        env:          TF_VAR_az_tenant_id: ${{ secrets.AZ_TENANT_ID }}          TF_VAR_MyFirstSecret: ${{ steps.azurekeyvault.outputs.MyFirstSecret }}          TF_VAR_MySecondSecret: ${{ steps.azurekeyvault.outputs.MySecondSecret }}

Docker

    - name: Docker Login      uses: azure/docker-login@v1      with:        login-server: myregistry.azurecr.io        username: ${{ steps.azurekeyvault.outputs.MySecondSecret }}        password: ${{ steps.azurekeyvault.outputs.MyThirdSecret }}