Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bitovi/github-actions-aws-secrets-manager
https://github.com/bitovi/github-actions-aws-secrets-manager
Last synced: about 5 hours ago
JSON representation
- Host: GitHub
- URL: https://github.com/bitovi/github-actions-aws-secrets-manager
- Owner: bitovi
- License: mit
- Created: 2022-04-11T15:07:26.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-02-06T14:21:27.000Z (9 months ago)
- Last Synced: 2024-04-14T22:37:31.967Z (7 months ago)
- Language: TypeScript
- Size: 3.13 MB
- Stars: 12
- Watchers: 15
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# AWS Secrets Manager GitHub Action
[](https://github.com/bitovi/github-actions-aws-secrets-manager/blob/main/LICENSE)
GitHub Action to fetch secrets from AWS Secrets Manager and inject them as environment variables into your GitHub Actions workflow.
The injected environment variable names will only contain upper case letters, digits and underscores. It will not begin with a digit.
If your secret name contains any characters other than upper case letters, digits and underscores, it will not be used directly as the environment variable name. Rather, it will be transformed into a string that only contains upper case letters, digits and underscores. A Warning will be displayed in the output when this occurs.
For example:
- If your secret name is `dev.foo`, the injected environment variable name will be `DEV_FOO`.
- If your secret name is `1/dev/foo`, the injected environment variable name will be `_1_DEV_FOO`.
- If your secret name is `dev/foo`, value is `{ "bar": "baz" }` and `parse-json` is set to `true`, the injected environment variable name will be `DEV_FOO_BAR` (and value will be `baz`).
## Usage
> Refer [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials) for AWS recommended best practices on how to configure AWS credentials for use with GitHub Actions.
```yaml
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Read secrets from AWS Secrets Manager into environment variables
uses: bitovi/[email protected]
with:
secrets: |
my_secret_1
app1/dev/*
parse-json: true
- name: Check if env variable is set after fetching secrets
run: if [ -z ${MY_SECRET_1+x} ]; then echo "MY_SECRET_1 is unset"; else echo "MY_SECRET_1 is set to '$MY_SECRET_1'"; fi
```
- `secrets`:
- List of secret names to be retrieved.
- Examples:
- To retrieve a single secret, use `secrets: my_secret_1`.
- To retrieve multiple secrets, use:
```yaml
secrets: |
my_secret_1
my_secret_2
```
- To retrieve "all secrets having names that contain `dev`" or "begin with `app1/dev/`", use:
```yaml
secrets: |
*dev*
app1/dev/*
```
- `parse-json`
- If `parse-json: true` and secret value is a **valid** stringified JSON object, it will be parsed and flattened. Each of the key value pairs in the flattened JSON object will become individual secrets. The original secret name will be used as a prefix.
- Examples:
| `parse-json` | AWS Secrets Manager Secret
(`name` = `value`) | Injected Environment Variable
(`name` = `value`) | Explanation |
|--------------|--------------------------------------------------|-----------------------------------------------------|-----------------------------------------------------------------------------------------|
| `true` | `foo` = `{ "bar": "baz" }` | `FOO_BAR` = `baz` | Values that can be parsed into a JSON will be parsed and flattened |
| `true` | `1/dev/foo` = `{ "bar" = "baz" }` | `_1_DEV_FOO` = `{ "bar" = "baz" }` | Values that cannot be parsed into a JSON will NOT be parsed |
| `true` | `foo` = `{ "bar": "baz" }`
`ham` = `eggs` | `FOO_BAR` = `baz` AND
`ham` = `eggs` | If multiple secrets, values that can be parsed into a JSON will be parsed and flattened |
| `false` | `dev_foo` = `{ "bar": "baz" }` | `DEV_FOO` = `{ "bar": "baz" }` | Not parsed |
#### Note:
- `${{ secrets.AWS_ACCESS_KEY_ID }}`, `${{ secrets.AWS_SECRET_ACCESS_KEY }}` and `${{ secrets.AWS_REGION }}` refers to [GitHub Secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets). Create the required secrets in your GitHub repository before using them in this GitHub Action.
- If your AWS Secrets Manager secret name contains any characters other than upper case letters, digits and underscores, it will not be used directly as the environment variable name. Rather, it will be transformed into a string that only contains upper case letters, digits and underscores. Refer the table above for examples.
## Features
- Can fetch secrets from AWS Secrets Manager and inject them into environment variables which can be used in subsequent steps in your GitHub Actions workflow.
- Injects environment variables in a format compatible with most shells.
- Can fetch multiple secrets at once.
- Supports wildcards
- `secrets: 'app1/dev/*'` will fetch all secrets having names that begin with `app1/dev/`.
- `secrets: '*dev*'` will fetch all secrets that have `dev` in their names.
## IAM Policy
The `aws-access-key-id` and `aws-secret-access-key` provided by you should belong to an IAM user with the following minimum permissions:
- `secretsmanager:GetSecretValue`
- `kms:Decrypt`
- Required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use your account's default AWS managed encryption key for Secrets Manager.
#### Example 1 (Simple):
If your secrets are encrypted using the default AWS managed encryption key, then the IAM user needs to have a policy attached similar to:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
#### Example 2 (Advanced):
If your secrets are encrypted using a customer managed AWS Key Management Service (KMS) key, then the IAM user needs a policy similar to the one below. We can restrict access to specific secrets (resources) in a specific region or we can use `*` for 'Any'.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:*:000000000000:secret:*",
"arn:aws:secretsmanager:us-east-1:000000000000:secret:mySecretID"
]
}
]
}
```
Here `000000000000` is your [AWS account ID](https://console.aws.amazon.com/billing/home?#/account), `us-east-1` is the AWS region code which has the secret(s) and `mySecretID` is the ID of your secret (usually different from a secret name). Please refer your AWS Secrets Manager console for the exact resource ARN.
## Contributing
We would love for you to contribute to [`@bitovi/github-actions-aws-secrets-manager`](https://github.com/bitovi/github-actions-aws-secrets-manager). [Issues](https://github.com/bitovi/github-actions-aws-secrets-manager/issues) and [Pull Requests](https://github.com/bitovi/github-actions-aws-secrets-manager/pulls) are welcome!
## License
The scripts and documentation in this project are released under the [MIT License](https://github.com/bitovi/github-actions-aws-secrets-manager/blob/main/LICENSE).
This has been modified from https://github.com/abhilash1in/aws-secrets-manager-action.
## Provided by Bitovi
[Bitovi](https://www.bitovi.com/) is a proud supporter of Open Source software.
## Need help or have questions?
You can **get help or ask questions** on [Discord channel](https://discord.gg/zAHn4JBVcX)! Come hangout with us!
Or, you can hire us for training, consulting, or development. [Set up a free consultation](https://www.bitovi.com/devops-consulting).