aws-secrets-manager-actions
v2.2.1
Published
GitHub Actions for AWS Secrets Manager
Downloads
17
Maintainers
Readme
AWS Secrets Manager Actions
This GitHub Action lets you export secrets stored in AWS Secrets Manager to environment values in your GitHub runner.
Usage
Add the AWS IAM keys and the secret name that you want to use from your AWS Secrets Manager secrets list to your GitHub repo secrets. Then, in the GitHub actions yaml, add the following step.
- Using github openid-connect (Recommended)
steps:
- name: Store ENV from AWS SecretManager
uses: say8425/aws-secrets-manager-actions@v2
with:
AWS_DEFAULT_REGION: "YOUR-AWS-REGION"
SECRET_NAME: ${{ env.SECRET_NAME }}
OUTPUT_PATH: '.env' # optional
- Using github secrets
steps:
- name: Export ENV from AWS SecretManager
uses: say8425/aws-secrets-manager-actions@v2
with:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
SECRET_NAME: ${{ secrets.SECRET_NAME }}
OUTPUT_PATH: '.env' # optional
AWS IAM
You need an AWS IAM user that has policies to access/read the AWS Secrets Manager secret. Add this IAM user's access id/keys as AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and region as AWS_DEFAULT_REGION
in your repo's GitHub Secrets.
Policy
An example policy to provide the permissions to the user is given below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
We recommend being more specific with the Resource
in the policy by adding the secret ARN.
Get more information at AWS User Guide.
Secret Name
This is the secret name that you want to read the secrets from. Only one secret name is supported.
Environment Values
Your secrets will be exported as environment values into the github runner.
These environment values are masked with ***
in logs in the GitHub Actions for security purposes.
Raw string values
Most of the secrets can be parsed. However, in some case, parsing of secrets can fail. An example case is an invalid json.
In such cases, the unparsed raw sting is stored in asm_secret
env key.
Export environment variables to file
The environment variables can also be exported to a file with OUTPUT_PATH
input parameter.
When OUTPUT_PATH
is defined, the GitHub action writes the environment variables to the specified filename.
Contributing
Your contributions are always welcome! Feel free to check issues or Pull Requests
License
This project is MIT licensed.