Automate Secret Injection into CI/CD Workflows with the GitHub Action for Vault
We are happy to announce that we have an officially supported HashiCorp Vault GitHub Action. GitHub Actions allow you to easily automate your CI/CD developer workflows to run actions against repositories based on triggers within GitHub. The Vault GitHub Action allows you to take advantage of secrets sourced from your HashiCorp Vault infrastructure for things like static and dynamic secrets and inject these secrets into your GitHub workflows.
For a more consistently updated version of this guide, visit HashiCorp Learn's Vault GitHub Actions guide.
We are happy to announce that we have an officially supported HashiCorp Vault GitHub Action. GitHub Actions allow you to easily automate your CI/CD developer workflows to run actions against repositories based on triggers within GitHub. The Vault GitHub Action allows you to take advantage of secrets sourced from your HashiCorp Vault infrastructure for things like static and dynamic secrets and inject these secrets into your GitHub workflows.
The Vault GitHub Action was originally created by Richard Simpson who transferred ownership of the repository to HashiCorp for continual improvement and long term support. We wanted to thank Richard for the amazing contribution to the HashiCorp Vault open-source ecosystem.
» Getting Started
Frequently, you will need to inject secrets into your CI/CD pipeline and Github Actions can be a great way to trigger events based on how you build, test, or deploy your code. HashiCorp Vault enables teams to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines and applications. Using both Github Actions and HashiCorp Vault together allows you to easily inject secrets into these CI/CD pipelines just in time for things like API key retrieval.
For example, in a CI/CD pipeline you might fetch a credential from HashiCorp Vault to a cloud provider for trigger an application deployment, or maybe you are uploading an application binary into a storage bucket and need a credential for that, and these are just a few examples but they highlight the need for secret injection into these types of workflows.
If you are new to GitHub Action there is a great getting started guide that will help you. To get started with using GitHub Action and the HashiCorp Vault GitHub Action here’s a quick code snipped with works as a good proof of concept. You will define a step, where you authenticate with HashiCorp Vault, then fetch the secrets you are interested in. It’s that simple.
jobs:
build:
# ...
steps:
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VaultToken }}
caCertificate: ${{ secrets.VAULTCA }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
# ...
The HashiCorp Vault GitHub Action allows you to authenticate to Vault using a token, AppRole, or GitHub auth methods. Once authenticated, HashiCorp Vault allows you to fetch a variety of secrets based on what your policy has access to, you will just need the path of where your secrets live, say for example in a static or dynamic secrets engine use-case.
In practice, you will likely be using a Github self-hosted runner when connecting to HashiCorp Vault since your Vault infrastructure is commonly not internet accessible from Github’s infrastructure. A self-hosted runner allows you to connect HashiCorp Vault directly over your internal networks and then inject the secrets into your Github Actions steps.
To learn more, please watch the joint webinar between GitHub and HashiCorp where we provide an end-to-end demonstration of these tools in action, along with a long question and answer section. The demo starts with an existing CI/CD pipeline, introduces the benefits that HashiCorp Vault and GitHub offer, and then integrates them into a joint pipeline.
» Next Steps
GitHub Actions allow you to easily automate your CI/CD workflows to run actions against repositories based on triggers and are well worth exploring for many use cases. If you have the need to inject secrets in these workflows, please visit the officially supported HashiCorp Vault GitHub Action as we think it makes a great addition. If you have any questions, or ideas on how to improve this Action, please file an issue in the repository.
Sign up for the latest HashiCorp news
More blog posts like this one
Vault integrations with MongoDB, Private Machines, and walt.id strengthen customer security
Three new HashiCorp Vault ecosystem integrations extend security use cases for customers.
HashiCorp at re:Invent 2024: Security Lifecycle Management with AWS
A recap of HashiCorp security news and developments on AWS from the past year, for your security management playbook.
HCP Vault Dedicated adds secrets sync, cross-region DR, EST PKI, and more
The newest HCP Vault Dedicated 1.18 upgrade includes a range of new features that include expanding DR region coverage, syncing secrets across providers, and adding PKI EST among other key features.