Automate Secret Injection into CI/CD Workflows with the GitHub Action for Vault

For a more consistently updated version of this guide, visit HashiCorp Learn's Vault GitHub Actions guide.

We are happy to announce that we have an officially supported HashiCorp Vault GitHub Action. GitHub Actions allow you to easily automate your CI/CD developer workflows to run actions against repositories based on triggers within GitHub. The Vault GitHub Action allows you to take advantage of secrets sourced from your HashiCorp Vault infrastructure for things like static and dynamic secrets and inject these secrets into your GitHub workflows.

The Vault GitHub Action was originally created by Richard Simpson who transferred ownership of the repository to HashiCorp for continual improvement and long term support. We wanted to thank Richard for the amazing contribution to the HashiCorp Vault open-source ecosystem.

»Getting Started

Frequently, you will need to inject secrets into your CI/CD pipeline and Github Actions can be a great way to trigger events based on how you build, test, or deploy your code. HashiCorp Vault enables teams to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines and applications. Using both Github Actions and HashiCorp Vault together allows you to easily inject secrets into these CI/CD pipelines just in time for things like API key retrieval.

For example, in a CI/CD pipeline you might fetch a credential from HashiCorp Vault to a cloud provider for trigger an application deployment, or maybe you are uploading an application binary into a storage bucket and need a credential for that, and these are just a few examples but they highlight the need for secret injection into these types of workflows.

If you are new to GitHub Action there is a great getting started guide that will help you. To get started with using GitHub Action and the HashiCorp Vault GitHub Action here’s a quick code snipped with works as a good proof of concept. You will define a step, where you authenticate with HashiCorp Vault, then fetch the secrets you are interested in. It’s that simple.

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              uses: hashicorp/vault-action
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VaultToken }}
                caCertificate: ${{ secrets.VAULTCA }}
                secrets: |
                    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
                    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
                    secret/data/ci npm_token
            # ...

The HashiCorp Vault GitHub Action allows you to authenticate to Vault using a token, AppRole, or GitHub auth methods. Once authenticated, HashiCorp Vault allows you to fetch a variety of secrets based on what your policy has access to, you will just need the path of where your secrets live, say for example in a static or dynamic secrets engine use-case.

In practice, you will likely be using a Github self-hosted runner when connecting to HashiCorp Vault since your Vault infrastructure is commonly not internet accessible from Github’s infrastructure. A self-hosted runner allows you to connect HashiCorp Vault directly over your internal networks and then inject the secrets into your Github Actions steps.

To learn more, please watch the joint webinar between GitHub and HashiCorp where we provide an end-to-end demonstration of these tools in action, along with a long question and answer section. The demo starts with an existing CI/CD pipeline, introduces the benefits that HashiCorp Vault and GitHub offer, and then integrates them into a joint pipeline.

»Next Steps

GitHub Actions allow you to easily automate your CI/CD workflows to run actions against repositories based on triggers and are well worth exploring for many use cases. If you have the need to inject secrets in these workflows, please visit the officially supported HashiCorp Vault GitHub Action as we think it makes a great addition. If you have any questions, or ideas on how to improve this Action, please file an issue in the repository.