https://github.com/miklosn/github-action-rotate-gcp-key

Rotate Google Service Account Keys for Github Actions
https://github.com/miklosn/github-action-rotate-gcp-key

gcp github-secret

Last synced: 10 months ago
JSON representation

Rotate Google Service Account Keys for Github Actions

• Host: GitHub
• URL: https://github.com/miklosn/github-action-rotate-gcp-key
• Owner: miklosn
• Created: 2020-10-27T17:21:13.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2022-12-09T08:18:29.000Z (over 3 years ago)
• Last Synced: 2025-05-25T18:15:45.981Z (about 1 year ago)
• Topics: gcp, github-secret
• Language: Python
• Homepage:
• Size: 72.3 KB
• Stars: 7
• Watchers: 0
• Forks: 2
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# github-action-rotate-gcp-key

This action rotates GCP service account keys in with the following method:

1. Create a new key for the SA

2. Update the specified Github secret (in one or more repos)

3. Delete all keys which do not equal the newly created key and which are also older than 5 minutes (to prevent race errors)

## Example workflow

```yaml

name: Rotate GCP service account key

#on:

#  schedule:

#    - cron: '0 12 * * 1'

on: [workflow_dispatch]

jobs:

  rotate:

    name: rotate gcp key

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v2.0.0

      - name: Setup GCP Service Account

        uses: google-github-actions/setup-gcloud@master

        with:

          service_account_key: ${{ secrets.GCP_SA_INFRA_KEY }}

          export_default_credentials: true

      - name: rotate gcp keys

        uses: miklosn/github-action-rotate-gcp-key@main # WARNING: use explicit Git commit sha instead of 'main' to avoid becoming a victim of supply chain attacks

        with:

          projectId: "example"

          serviceAccount: "github-actions@example.iam.gserviceaccount.com"

          personalAccessToken: "${{ secrets.PERSONAL_ACCESS_TOKEN }}"

          repositories: ${{ github.repository }}

          secretName: "GCP_SA_INFRA_KEY"

```

## Inputs

projectId: GCP project id to operate on

serviceAccount: e-mail ID of the service account to operate on

personalAccessToken: github token with permission to add/update secrets on a repo basis

secretName: name of the Github secret to update

repositories: one or multiple github repos. If multiple repos are specified they need to be separated by commas. 

The secret will be updated in all repos.