Skip to content

Warning

You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?

Get Secret Manager secrets

Actions
Get secrets from Google Secret Manager and make their results available as output variables
v1.0.0
By google-github-actions
Verified creator
Star (151)

Tags

 (2)
continuous-integrationsecurity

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

get-secretmanager-secrets

This action fetches secrets from Secret Manager and makes them available to later build steps via outputs. This is useful when you want Secret Manager to be the source of truth for secrets in your organization, but you need access to those secrets in build steps.

Secrets that are successfully fetched are set as output variables and can be used in subsequent actions. After a secret is accessed, its value is added to the mask of the build to reduce the chance of it being printed or logged by later steps.

Prerequisites

  • This action requires Google Cloud credentials that are authorized to access the secrets being requested. See Authorization for more information.

  • This action runs using Node 16. If you are using self-hosted GitHub Actions runners, you must use runner version 2.285.0 or newer.

Usage

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'
      with:
        secrets: |-
          token:my-project/docker-registry-token

    # Example of using the output
    - id: 'publish'
      uses: 'foo/bar@main'
      env:
        TOKEN: '${{ steps.secrets.outputs.token }}'

Inputs

  • secrets: (Required) The list of secrets to access and inject into the environment. Due to limitations with GitHub Actions inputs, this is specified as a string.

    You can specify multiple secrets by putting each secret on its own line:

    secrets: |-
  output1:my-project/my-secret1
  output2:my-project/my-secret2

    Secrets can be referenced using the following formats:

    # Long form
projects/<project-id>/secrets/<secret-id>/versions/<version-id>

# Long form - "latest" version
projects/<project-id>/secrets/<secret-id>

# Short form
<project-id>/<secret-id>/<version-id>

# Short form - "latest" version
<project-id>/<secret-id>

  • min_mask_length: (Optional, default: "4") Minimum line length for a secret to be masked. Extremely short secrets (e.g. "{" or "a") can make GitHub Actions log output unreadable. This is especially important for multi-line secrets, since each line of the secret is masked independently.

Outputs

Each secret is prefixed with an output name. The secret's resolved access value will be available at that output in future build steps.

For example:

jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'
      with:
        secrets: |-
          token:my-project/docker-registry-token

will be available in future steps as the output "token":

# other step
- id: 'publish'
  uses: 'foo/bar@main'
  env:
    TOKEN: '${{ steps.secrets.outputs.token }}'

Authorization

There are a few ways to authenticate this action. The caller must have permissions to access the secrets being requested.

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication.

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v3'

    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v1'

The action will automatically detect and use the Application Default Credentials.

Contributors (11)

@dependabot@sethvargo@bharathkkb@verbanicm@averikitsch@glasser@codiophile@brandonwkipp@danBamikiya@abheda-crest
+ 1 contributors

Resources

Get Secret Manager secrets is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Get secrets from Google Secret Manager and make their results available as output variables
v1.0.0
By google-github-actions

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Tags

 (2)
continuous-integrationsecurity

Contributors (11)

@dependabot@sethvargo@bharathkkb@verbanicm@averikitsch@glasser@codiophile@brandonwkipp@danBamikiya@abheda-crest
+ 1 contributors

Resources

Get Secret Manager secrets is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.