Storing and retrieving secrets in Azure Key Vault with GitHub Actions : Thomas Thornton

Reader
March 22, 2023
Storing and retrieving secrets in Azure Key Vault with GitHub Actions
by: Thomas Thornton
blow post content copied from  Thomas Thornton
click here to view original post

Using GitHub Actions and wanting to store secrets security while utilising Azure? In this blog post I will be showing how you can create and store secrets in Azure Key Vault and retrieve them to be used as part of your GitHub Actions. I wrote a bash script to achieve this as Azure/get-keyvault-secrets@v1 has been deprecated.

Why Azure Key Vault and not just in GitHub?

  • Ability to rotate secrets in one place within a Key Vault – you may have a number of secrets in the same Key Vault
  • Activity log to see who/when secrets were updated or removed
  • Centrailisation to store secrets, rather than just on GitHub
  • No need for repetition to store the secret in both GitHub & Key Vault with one single source of truth
  • With Azure Key Vault you can monitor when secrets were accessed

Some pre-reqs

In this blog, I will be using this repo: https://github.com/thomast1906/azure-keyvault-secrets-githubaction-bash to create & run the GitHub action, along with the below bash script to create:

  • Azure Resource Group: tamopskvrg
  • Azure Key Vault: tamopskvexample
  • Azure Key Vault secrets example1 & example2
RG="tamopskvrg"
LOCATION="uksouth"
KV_NAME="tamopskvexample"

# Create a resource group.
az group create --name $RG --location $LOCATION

# Create a key vault.
az keyvault create --name $KV_NAME --resource-group $RG --location $LOCATION

# Create secrets in the key vault.
az keyvault secret set --vault-name $KV_NAME --name "example1" --value "example1secretvalue"
az keyvault secret set --vault-name $KV_NAME --name "example2" --value "example2secretvalue"

GitHub Action

Time to build and run the GitHub Action

GitHub Repository Secret

Within the GitHub repository to where you are going to be running the GitHub Action to retrieve your Azure Key Vault secrets, select settings -> secrets

Add secret

  • AZURE_CREDENTIALS – in json format as below, this is the Service Principal that will be used for az login and access the Azure Key Vault (Ensure the Service Principal has correct permissions for the Azure Key Vault
{
  "clientId": "<GUID>",
  "clientSecret": "<GUID>",
  "subscriptionId": "<GUID>",
  "tenantId": "<GUID>",
}

Create and run GitHub Action

To add this GitHub Action to your repository, within your GitHub Repo – select Actions -> Workflows -> New workflow
(Or if you merge into main branch with Action in the folder structure .github/workflows/main.yaml it will automatically create. )

A quick look at the bash script that will be used to get & retrieve the secrets, into GITHUB_OUTPUT environment files:

  • The bash script is a for loop that looks over the array of secrets_get which are the secret names I want to retrieve the values for
  • masking the values to ***** using ::add-mask::
  • Finally adding each secret value as an environment file using GITHUB_OUTPUT
    - name: 'Get secrets'
      id: azure-keyvault-secrets
      run: |
        secrets_get=(example1 example2)
        for secret_get in ${secrets_get[@]}
        do
          value=$(az keyvault secret show --name $secret_get --vault-name tamopskvexample --query value --output tsv)
          echo "::add-mask::$value"
          echo "$secret_get=$value" >> $GITHUB_OUTPUT
        done

My example will then create two resource groups with the secret values to show them being retrieved successfully

    - name: Create resource groups with secret values
      run: |
        az group Create --name $ --location uksouth
        az group Create --name $ --location uksouth

GitHub Action full:

name: github_action_azure_kv_secrets

on:
  workflow_dispatch:

jobs:
  docker_build_push_acr:
    name: 'GitHub Action to retreive secrets from Azure Key Vault and deploy example resource groups to Azure'
    runs-on: ubuntu-18.04
    environment: production
  
    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v2
 
    - uses: azure/login@v1
      with:
        creds: $

    - name: 'Get secrets'
      id: azure-keyvault-secrets
      run: |
        secrets_get=(example1 example2)
        for secret_get in ${secrets_get[@]}
        do
          value=$(az keyvault secret show --name $secret_get --vault-name tamopskvexample --query value --output tsv)
          echo "::add-mask::$value"
          echo "$secret_get=$value" >> $GITHUB_OUTPUT
        done

    - name: Create resource groups with secret values
      run: |
        az group Create --name $ --location uksouth
        az group Create --name $ --location uksouth

Checking out the GitHub action, we can see the secrets are still hashed and not viewable:

Reviewing the Azure portal, two new Resource Groups have been created:

I did originally set out to use this action get-keyvault-secrets but it is now archived – Azure/get-keyvault-secrets@v1 but its now deprecated, if there is enough interest, I may actually move this blog post into a GitHub Action.

GitHub repository used to test found here

Full code examples here


March 22, 2023 at 05:15PM
Click here for more details...

=============================
The original post is available in Thomas Thornton by Thomas Thornton
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================

Salesforce