azure / get-keyvault-secrets Goto Github PK

Automate your GitHub workflows using Azure Action for Key Vault

License: MIT License

JavaScript 48.35% TypeScript 51.65%

get-keyvault-secrets's Introduction

Deprecation notice

This Action is deprecated. Instead, one can use azure/cli@v1 action and pass a custom script to it to access azure key vault.

GitHub Action to fetch secrets from Azure Key Vault

With the Get Key Vault Secrets action, you can fetch secrets from an Azure Key Vault instance and consume in your GitHub Action workflows.

Get started today with a free Azure account!

The definition of this GitHub Action is in action.yml.

Secrets fetched will be set as outputs of the keyvault action instance and can be consumed in the subsequent actions in the workflow using the notation: ${{ steps.<Id-of-the-KeyVault-Action>.outputs.<Secret-Key> }}. In addition, secrets are also set as environment variables. All the variables are automatically masked if printed to the console or to logs.

Refer to more Actions for Azure and Starter templates to easily automate your CICD workflows targeting Azure services using GitHub Action workflows.

End-to-End Sample Workflows

Dependencies on other Github Actions

Authenticate using Azure Login with an Azure service principal, which also has Get, List permissions on the keyvault under consideration.

Sample workflow to build and deploy a Node.js Web app to Azure using publish profile

# File: .github/workflows/workflow.yml

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # checkout the repo
    - uses: actions/checkout@master
    - uses: Azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }} 
    - uses: Azure/get-keyvault-secrets@v1
      with:
        keyvault: "my
        Vault"
        secrets: 'mySecret'  # comma separated list of secret keys that need to be fetched from the Key Vault 
      id: myGetSecretAction

Configure Azure credentials:

To fetch the credentials required to authenticate with Azure, run the following command to generate an Azure Service Principal (SPN) with Contributor permissions:

az ad sp create-for-rbac --name "myApp" --role contributor \
                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
                            --sdk-auth
                            
  # Replace {subscription-id}, {resource-group} with the subscription, resource group details of your keyvault

  # The command should output a JSON object similar to this:

  {
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
    (...)
  }

Add the json output as a secret (let's say with the name AZURE_CREDENTIALS) in the GitHub repository.

Enable permissions to access the Key Vault secrets

Provide explicit access policies on the above Azure service principal to be able to access your Key Vault for get and list operations. Use below command for that:

az keyvault set-policy -n $KV_NAME --secret-permissions get list --spn <clientId from the Azure SPN JSON>

For more details, refer to KeyVault Set-Policy.

Consuming secrets fetched using the keyvault action in your workflow

Sample workflow which leverages the Key Vault action to fetch multiple secrets from the Key Vault and use them as credentials for the docker login action.

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # checkout the repo
    - uses: actions/checkout@master
    - uses: Azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }} # Define secret variable in repository settings as per action documentation
    - uses: Azure/get-keyvault-secrets@v1
      with:
        keyvault: "myKeyVault"
        secrets: 'mySecret1, mySecret2'
      id: myGetSecretAction
    - uses: Azure/docker-login@v1
      with:
        login-server: mycontainer.azurecr.io
        username: ${{ steps.myGetSecretAction.outputs.mySecret1 }}
        password: ${{ steps.myGetSecretAction.outputs.mySecret2 }}
    - run: |
        cd go-sample
        docker build . -t my.azurecr.io/myimage:${{ github.sha }}
        docker push my.azurecr.io/myimage:${{ github.sha }}
        cd ..

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

get-keyvault-secrets's People

Contributors

Stargazers

Watchers

get-keyvault-secrets's Issues

Action need to update to deal with CVE vulnerabilities

Per:
https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Receiving Error: Unable to process command '::set-env

I am recieving the below error when running the task on ubuntu-latest. I see core 1.2.6 is already updated in package-lock.json.

    - name: Get KeyVault Secrets
      uses: Azure/[email protected]
      with:
        keyvault: "mykv"
        secrets: 'ARM-CLIENT-ID, ARM-CLIENT-SECRET, ARM-SUBSCRIPTION-ID, ARM-TENANT-ID'
      id: get_secret_action

Error: Unable to process command '::set-env name=AZURE_HTTP_USER_AGENT,::GITHUBACTIONS_GetKeyVaultSecrets_**' successfully.
Error: The `set-env` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

Environment variables created from secrets cannot be hyphenated

This action both creates the secret values as output variables and environment variables.
Key-Vault Secret names can only have alphanumeric characters and dashes.
Per Posix rules environment variables can only have alphanumeric characters and underscores.
https://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html
We need to make sure we create environment variable converted to snake case(underscore) rather than hyphens (kebob).
Please advise.

Thanks!

Support Managed Service Identity KeyVault access for Self-Hosted Runners

It would be helpful for this action to support Managed Service Identity (MSI) access to KeyVault for Self-Hosted runners running this GitHub action. This could reduce the need to store cloud secrets in GitHub secrets in order to access Azure KeyVault resources.

If I figure out how to do this I will submit a PR with this change.

Thanks,
Aaron

Add Support for Sovereign clouds like AzureUSGovernment

It would be great if this action supported AzureUSGovernment clouds.

There are two changes that need to be made to make this happen.

vault.azure.net needs to be changed to vault.usgovcloudapi.net
the --resource tokenArgs needs to be changed to support vault.usgovcloudapi.net as well.

I will submit a PR with an attempt at adding this capability
-Aaron

Failure to login AKV using SPN Certificate Credentials.

I'm using Certificate, instead of a secret as credentials for logging into the Azure.
The login action seems to pass in the workflow successfully but this action fails saying "Error: Could not login to Azure."
I am not able to wrap my head around this issue and needed help. Let me know if this is not the right place for this.

How am I supposed to debug this and any other information I can provide for assistance?

GA Date

Hi Team!

I was wondering when is the date for when this action would be released officially? At the moment it is still in pre-release...

Adrian

Handling dynamic key names

I frequently use dynamically changing key names, for example from configuration files, to get secrets from KeyVault. While resolving the key itself works totally fine, the problem lies in the output and how the value is accessible.

The output key for the value equals the the input key. This is not a problem if you know the key name before by statically assigning it, but it causes a problem when using a dynamic value as a key since there is no way (I am aware of), to reference such a value directly.

See this minimal example

name: Build

on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - id: prepare
      uses: custom/action-that-reads-configuration-and-outputs # reads configuration based on the deployment target
    - name: Get keyvault secrets
      uses: azure/get-keyvault-secrets
      with: 
        name: ${{ steps.prepare.outputs.keyvault_name }}
        secret: static-key, ${{ steps.prepare.outputs.env_username }}

In the example shown above, the name of the environment variable or the step output is now based on the value of the evaluated ${{ steps.prepare.outputs.env_username }} expression, in order to access the value you'd need a nested syntax which is not possible as far as I understood.

Working around that is relatively easy using the az CLI and saving the output to a file or statically assigned variable name, but it hurts the readability and maintainability of the pipeline using an otherwise perfectly working action. I'm not sure if its common to encounter that issue, but I think it would be great to accommodate such use cases.

The best way I found to implement that in a non breaking way would be to let the user optionally pass a variable name for a given value that is used to override the automatically generated one, for example by separating the value by a char like :.

    - id: prepare
      uses: custom/action-that-reads-configuration-and-outputs # reads configuration based on the deployment target
    - name: Get keyvault secrets
      uses: azure/get-keyvault-secrets
      with: 
        name: ${{ steps.prepare.outputs.keyvault_name }}
        secret: static-key, ${{ steps.prepare.outputs.env_username }} :override_variable_name:

Am I missing something with my approach or is this actually not possible with the current implementation?

Deprecation info

@BALAGA-GAYATRI can you provide more information on why this action was deprecated? This action is heavily used by my organization, and the recommended replacement action (azure/cli@v1 action) is not sufficient. If I'm not mistaken this action will treat the returned values as plaintext, not obfuscated secrets. Additionally this action doesn't even work on self-hosted runners (Azure/cli#71).

Even stranger, the official Microsoft documentation is still using get-keyvault-secrets in the code example, but soon after the depreciation someone updated the action marketplace link to a non-verified action maintained by a single developer.

Action never fails when trying to access non-existing KV

Hi,

I noticed this by accident, but what appears to happen is when I try to fetch a secret from a non-existing KV the action never fails but hangs there for ever

I waited for 10-15 minutes, and at the end had to cancel my workflow

Here is how the action itself is being used:

- name: Fetch Neo4j password from KV
        id: getSecrets
        uses: Azure/get-keyvault-secrets@v1
        with:
          keyvault: 'cb-${{ github.event.inputs.environment }}-kv'
          secrets: 'neo4j-password'

Here are the logs:

##[debug]Evaluating condition for step: 'Fetch Neo4j password from KV'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Fetch Neo4j password from KV
##[debug]Loading inputs
##[debug]Evaluating: format('cb-***0***-kv', github.event.inputs.environment)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> 'cb-***0***-kv'
##[debug]..Evaluating Index:
##[debug]....Evaluating Index:
##[debug]......Evaluating Index:
##[debug]........Evaluating github:
##[debug]........=> Object
##[debug]........Evaluating String:
##[debug]........=> 'event'
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'inputs'
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'environment'
##[debug]..=> 'testing'
##[debug]=> 'cb-testing-kv'
##[debug]Result: 'cb-testing-kv'
##[debug]Loading env
Run Azure/get-keyvault-secrets@v1
  with:
    keyvault: cb-testing-kv
    secrets: neo4j-password
  env:
    AZURE_CREDENTIALS: ***
    AZURE_DEPLOYMENT_NAME: testing-neo4j-[2](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:2)2266400[3](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:3)9
    AZURE_HTTP_USER_AGENT: 
    AZUREPS_HOST_ENVIRONMENT: 
##[debug]try-get AzureCLIAuthorizer
##[debug]"/usr/bin/az" account show
##[debug]"/usr/bin/az" cloud show
##[debug]"/usr/bin/az" cloud show --query name
Running keyvault action against AzureCloud
##[debug]"/usr/bin/az" account get-access-token
::add-mask::***
##[debug][GET] https://cb-testing-kv.vault.azure.net/secrets/neo[4](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:4)j-password?api-version=7.0
##[debug]Re-evaluate condition on job cancellation for step: 'Fetch Neo4j password from KV'.
##[debug]AZURE_HTTP_USER_AGENT='GITHUBACTIONS_GetKeyVaultSecrets_a372436c28a7c[5](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:5)193d0b8cc222[6](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:6)4c520bb4[7](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:7)[8](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:8)d4f05e7d508eac7a2[9](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:9)a40329[10](https://github.com/***/orchestration/runs/6175537982?check_suite_focus=true#step:4:10)8'
##[debug]AZURE_HTTP_USER_AGENT=''
Error: The operation was canceled.
##[debug]System.OperationCanceledException: The operation was canceled.
##[debug]   at System.Threading.CancellationToken.ThrowOperationCanceledException()
##[debug]   at GitHub.Runner.Sdk.ProcessInvoker.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, Channel`1 redirectStandardIn, Boolean inheritConsoleHandler, Boolean keepStandardInOpen, Boolean highPriorityProcess, CancellationToken cancellationToken)
##[debug]   at GitHub.Runner.Common.ProcessInvokerWrapper.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, Channel`1 redirectStandardIn, Boolean inheritConsoleHandler, Boolean keepStandardInOpen, Boolean highPriorityProcess, CancellationToken cancellationToken)
##[debug]   at GitHub.Runner.Worker.Handlers.DefaultStepHost.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, Boolean inheritConsoleHandler, CancellationToken cancellationToken)
##[debug]   at GitHub.Runner.Worker.Handlers.NodeScriptActionHandler.RunAsync(ActionRunStage stage)
##[debug]   at GitHub.Runner.Worker.ActionRunner.RunAsync()
##[debug]   at GitHub.Runner.Worker.StepsRunner.RunStepAsync(IStep step, CancellationToken jobCancellationToken)
##[debug]Finishing: Fetch Neo4j password from KV`

Not sure if I am doing something wrong here, and I this is of course not blocking me in any way, but felt as a strange behavior that I though its worth reporting

When I try this with CLI I get an error

Regards,
Mirza

Invalid regular expression: /*/: Nothing to repeat on self-hosted GithubRunner

Hello,

We had a working github action that uses Azure/get-keyvault-secrets@v1 (runs-on: ubuntu-latest). We moved the action to a self hosted github runner (runs-on: self-hosted) and the Azure/get-keyvault-secrets@v1 step fails with an error message:

Error: Invalid regular expression: /*/: Nothing to repeat

The Azure/login@v1 is successful

I wonder if its this line?
main.ts:33
environment = environment.replace(/"|\s/g, '');

because the line below it doesn't trigger.
console.log('Running keyvault action against ' + environment);

When running this command in the az console
az cloud show --query name

i get "AzureCloud" as a return

RBAC based access policies on the Key Vault

This step in the README suggests that Key Vault access policies are the expectation:
https://github.com/Azure/get-keyvault-secrets#enable-permissions-to-access-the-key-vault-secrets

However Key Vault also supports RBAC based permissions. Is this model supported?
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

I tried it by giving the service principal "Key Vault Reader" role (21090545-7ca7-4776-b22c-e363652d74d2) but I ran into access denied errors. Switch over to Key Vault access policies resolved the issue.