{"id":14970195,"url":"https://github.com/hashicorp/hcp-auth-action","last_synced_at":"2026-02-15T15:05:30.337Z","repository":{"id":246382279,"uuid":"811602751","full_name":"hashicorp/hcp-auth-action","owner":"hashicorp","description":"A GitHub Action for authenticating to the HashiCorp Cloud Platform.","archived":false,"fork":false,"pushed_at":"2024-12-02T22:55:53.000Z","size":1764,"stargazers_count":0,"open_issues_count":5,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-01-30T06:11:21.321Z","etag":null,"topics":["actions","authentication","hcp"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hashicorp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-06T23:38:43.000Z","updated_at":"2024-11-11T17:27:51.000Z","dependencies_parsed_at":"2024-06-27T18:17:05.925Z","dependency_job_id":"9c6577b1-5179-42eb-a8f4-e5996c733252","html_url":"https://github.com/hashicorp/hcp-auth-action","commit_stats":{"total_commits":37,"total_committers":4,"mean_commits":9.25,"dds":"0.21621621621621623","last_synced_commit":"5fb720a8e4cad45e7a991237c6b29f7aa6aa46b9"},"previous_names":["hashicorp/hcp-auth-action"],"tags_count":2,"template":false,"template_full_name":"actions/typescript-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fhcp-auth-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fhcp-auth-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fhcp-auth-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hashicorp%2Fhcp-auth-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hashicorp","download_url":"https://codeload.github.com/hashicorp/hcp-auth-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237109299,"owners_count":19257110,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","authentication","hcp"],"created_at":"2024-09-24T13:43:16.294Z","updated_at":"2025-10-19T10:30:24.599Z","avatar_url":"https://github.com/hashicorp.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authenticate to HashiCorp Cloud Platform (HCP) From GitHub Actions\n\nThis GitHub Action authenticates to\n[HashiCorp Cloud Platform (HCP)](https://www.hashicorp.com/cloud) and makes\ncredentials available to subsequent Action steps. Pair this action with\n[hashicorp/hcp-setup-action](https://github.com/hashicorp/hcp-setup-action) to\nuse HCP services from your Workflow using the [HCP CLI][hcp-cli].\n\nThis action supports authenticating either via Workload Identity Federation or\nvia Service Principal credentials. It is **strongly recommended** to use\nWorkload Identity Federation, as it does not require creating and storing any\nlong lived credential. Instead a trust relationship is created between the\nGitHub Actions and HCP, which can be tightly scoped.\n\n## Usage\n\n```yaml\njobs:\n  job_id:\n    # \"id-token\" is needed when using Workload Identity Federation.\n    permissions:\n      contents: 'read'\n      id-token: 'write'\n\n    steps:\n      - uses: 'hashicorp/hcp-auth-action@v0'\n        with:\n          workload_identity_provider: 'iam/project/123456789/service-principal/my-sp/workload-identity-provider/my-provider'\n```\n\n## Inputs\n\n### Inputs: Workload Identity Federation\n\nThe follow Action Inputs are for use when authenticating using Workload Identity\nFederation.\n\n- `workload_identity_provider` - (Required) The full name of the Workload\n  Identity Provider to use for authentication. This should be in the format\n  `iam/project/1234/service-principal/my-sp/workload-identity-provider/my-wip`.\n\n- `audience` - (Optional) The value for the audience (`aud`) parameter in the\n  generated GitHub Actions OIDC token. The audience must match the audience the\n  HCP Workload Identity Provider expects. By default, HCP expects the audience\n  to be the same as the `workload_identity_provider` value. For most use cases,\n  this value should not be set.\n\n### Inputs: Service Principal Credentials\n\n\u003e [!CAUTION]\n\u003e\n\u003e Service Principal Credentials are long-lived credentials and must be treated\n\u003e like a password. It is **strongly recommended** to use Workload Identity\n\u003e Federation instead.\n\nThe follow Action Inputs are for use when authenticating using Service Principal\nCredentials.\n\n- `client_id` - (Required) The client ID of the Service Principal to use for\n  authentication.\n\n- `client_secret` - (Required) The client secret of the Service Principal to use\n  for authentication.\n\n### Inputs: Common\n\nThe following inputs are common to both Workload Identity Federation and Service\nPrincipal Credentials.\n\n- `set_access_token` - (Optional) If true, the action will set the access token\n  as an output. This can be useful for downstream steps that need to directly\n  use the access token to authenticate to HashiCorp Cloud Platform. Default is\n  `false`.\n\n- `export_environment_variables` - (Optional) If true, the action will set the\n  `HCP_CRED_FILE` environment variable. If false, the action will not export any\n  environment variables, meaning future steps are unlikely to be automatically\n  authenticated to HCP.\n\n## Outputs\n\n- `organization_id`: The HashiCorp Cloud Platform organization ID that the\n  Service Principal is a member of.\n\n- `project_id`: The HashiCorp Cloud Platform Project ID that the Service\n  Principal was created in. If using an organization level Service Principal,\n  this will not be set.\n\n- `credentials_file_path`: Path on the local filesystem where the generated\n  credentials file resides.\n\n- `access_token`: The access token for calling HCP APIs. This is only available\n  when \"set_access_token\" is true.\n\n## Setup\n\nThis section describes the possible configuration options:\n\n1. [(Preferred) Workload Identity Federation](#preferred-workload-identity-federation)\n1. [Service Principal Credentials](#service-principal-credentials)\n\n### (Preferred) Workload Identity Federation\n\nWhen using Workload Identity Federation, the GitHub Action's OIDC token will be\nsent to the configured Workload Identity Provider. HCP will validate the token\nand return a short-lived access token that can be used to authenticate to HCP.\n\nThese instructions use the [hcp][hcp-cli] command-line tool.\n\n1. Create a Service Principal in HCP.\n\n   ```sh\n   # TODO: replace ${PROJECT_ID} with your value below.\n   hcp iam service-principals create \"my-sp\" --project \"${PROJECT_ID}\"\n   ```\n\n1. Create the Workload Identity Provider and set it up to only allow GitHub\n   Actions running in a particular repository to authenticate.\n\n   ```sh\n   # TODO: replace ${PROJECT_ID}, ${GITHUB_ORG}, and ${GITHB_REPO} with\n   # your values below.\n   hcp iam workload-identity-providers create-oidc \"github\" \\\n     --project \"${PROJECT_ID}\" \\\n     --service-principal \"iam/project/${PROJECT_ID}/service-principal/my-sp\" \\\n     --issuer=\"https://token.actions.githubusercontent.com\" \\\n     --conditional-access 'jwt_claims.repository == \"${GITHUB_ORG}/${GITHUB_REPO}\"'\n   ```\n\n1. Grant the created Service Principal a role on a resource. For this example,\n   we will give it access to read Vault Secrets within the project.\n\n   ```sh\n   # TODO: replace ${PROJECT_ID} and ${SERVICE_PRINCIPAL_RESOURCE_ID} with your\n   # values below.\n   hcp projects add-binding \\\n     --project=${PROJECT_ID} \\\n     --member=${SERVICE_PRINCIPAL_RESOURCE_ID} \\\n     --role=roles/secrets.app-secret-reader\n   ```\n\n1. Add the `hashicorp/hcp-auth-action` to your GitHub Actions workflow.\n   \u003c!-- markdownlint-capture --\u003e\n   \u003c!-- markdownlint-disable --\u003e\n\n   ```yaml\n   jobs:\n     job_id:\n       # \"id-token\" is needed when using Workload Identity Federation.\n       permissions:\n         contents: 'read'\n         id-token: 'write'\n\n       steps:\n         - uses: 'hashicorp/hcp-auth-action@v0'\n           with:\n             workload_identity_provider: '...' # 'iam/project/123456789/service-principal/my-sp/workload-identity-provider/github'\n\n         - uses: 'hashicorp/hcp-setup-action@v0'\n           with:\n             version: 'latest'\n\n         - name: 'Read a secret and inject as an environment variable'\n           run: |\n             MY_SECRET=$(hcp vault-secrets secrets open \\\n               --app=cli --format=json foo | jq -r '.static_version.value')\n             echo \"::add-mask::$MY_SECRET\"\n             echo \"MY_SECRET=$MY_SECRET\" \u003e\u003e $GITHUB_ENV\n   ```\n\n   \u003c!-- markdownlint-restore --\u003e\n\n### Service Principal Credentials\n\nWhen using Service Principal Credentials, the GitHub Action will authenticate to\nHCP using the provided Client ID and Client Secret. The credential pair is\nlong-lived and must be treated like a password. As such, these credentials\nshould be stored as\n[GitHub Actions Secrets](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).\n\nThese instructions use the [hcp][hcp-cli] command-line tool.\n\n1. Create a Service Principal in HCP.\n\n   ```sh\n   # TODO: replace ${PROJECT_ID} with your value below.\n   hcp iam service-principals create \"my-sp\" --project \"${PROJECT_ID}\"\n   ```\n\n1. Create a Service Principal Key.\n\n   ```sh\n   # TODO: replace ${PROJECT_ID} with your value below.\n   hcp iam service-principals keys create iam/project/${PROJECT_ID}/service-principal/my-sp\n   ```\n\n1. Create a\n   [GitHub Actions Secrets](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions)\n   named `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` with the values of the Service\n   Principal's Client ID and Client Secret.\n\n1. Grant the created Service Principal a role on a resource. For this example,\n   we will give it access to read Vault Secrets within the project.\n\n   ```sh\n   # TODO: replace ${PROJECT_ID} and ${SERVICE_PRINCIPAL_RESOURCE_ID} with your\n   # values below.\n   hcp projects add-binding \\\n     --project=${PROJECT_ID} \\\n     --member=${SERVICE_PRINCIPAL_RESOURCE_ID} \\\n     --role=roles/secrets.app-secret-reader\n   ```\n\n1. Add the `hashicorp/hcp-auth-action` to your GitHub Actions workflow.\n   \u003c!-- markdownlint-capture --\u003e\n   \u003c!-- markdownlint-disable --\u003e\n\n   ```yaml\n   jobs:\n     job_id:\n       steps:\n         - uses: 'hashicorp/hcp-auth-action@v0'\n           with:\n             client_id: ${{ secrets.HCP_CLIENT_ID }}\n             client_secret: ${{ secrets.HCP_CLIENT_SECRET }}\n\n         - uses: 'hashicorp/hcp-setup-action@v0'\n           with:\n             version: 'latest'\n\n         - name: 'Read a secret and inject as an environment variable'\n           run: |\n             MY_SECRET=$(hcp vault-secrets secrets open \\\n               --app=cli --format=json foo | jq -r '.static_version.value')\n             echo \"::add-mask::$MY_SECRET\"\n             echo \"MY_SECRET=$MY_SECRET\" \u003e\u003e $GITHUB_ENV\n   ```\n\n   \u003c!-- markdownlint-restore --\u003e\n\n[hcp-cli]: https://developer.hashicorp.com/hcp/docs/cli\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fhcp-auth-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhashicorp%2Fhcp-auth-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhashicorp%2Fhcp-auth-action/lists"}