-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
new post 2023-10-16-github-actions-get-azure-keyvault-secrets-action
- Loading branch information
Showing
1 changed file
with
63 additions
and
0 deletions.
There are no files selected for viewing
63 changes: 63 additions & 0 deletions
63
_posts/2023/2023-10-16-github-actions-get-azure-keyvault-secrets-action.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| --- | ||
| last_modified_at: | ||
| title: "Github Actions - copdips/get-azure-keyvault-secrets-action" | ||
| excerpt: "" | ||
| tags: | ||
| - cicd | ||
| - githubaction | ||
| - python | ||
| - azure | ||
| - vault | ||
| published: true | ||
| # header: | ||
| # teaserlogo: | ||
| # teaser: '' | ||
| # image: '' | ||
| # caption: | ||
| gallery: | ||
| - image_path: '' | ||
| url: '' | ||
| title: '' | ||
| --- | ||
|
|
||
| Recently, I began a new project that requires migrating some process from Azure Pipelines to Github Actions. One of the tasks involves retrieving secrets from Azure Key Vault. | ||
|
|
||
| In Azure Pipelines, we have an official task called [AzureKeyVault](https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops) designed for this purpose. However, its official counterpart in Github Actions, [Azure Key Vault Secrets](https://github.com/Azure/get-keyvault-secrets), has been deprecated. The recommended alternative is [Azure CLI](https://github.com/Azure/get-keyvault-secrets#deprecation-notice). While Azure CLI is a suitable option, it operates in a bash shell without multithreading. If numerous secrets need to be fetched, this can be time-consuming. | ||
|
|
||
| Over the past weekend, I decided to write my own action using Python, leveraging `asyncio`. I avoided any additional third party Python modules like `requests`, `aiohttp`, or `httpx`, so no pip install needed. As anticipated, the pure Python solution is notably faster than using the Azure CLI, and even surpasses the speed of the Azure Pipelines task `AzureKeyVault@2`. In my tests, it was able to retrieve the all the secrets from an Azure Key Vault within seconds. | ||
|
|
||
| The source code is at: [copdips/get-azure-keyvault-secrets-action](https://github.com/copdips/get-azure-keyvault-secrets-action) | ||
|
|
||
| And hereunder is the usage: | ||
|
|
||
| {% raw %} | ||
|
|
||
| ```yaml | ||
| # in the calling workflow, user should first login to Azure | ||
| - uses: Azure/login@v1 | ||
| with: | ||
| # creds: ${{secrets.AZURE_CREDENTIALS}} is not recommended due to json secrets security concerns. | ||
| creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}' | ||
|
|
||
| - name: Get Azure KeyVault secrets | ||
| id: get-azure-keyvault-secrets | ||
| uses: copdips/get-azure-keyvault-secrets-action@v1 | ||
| with: | ||
| keyvault: {your_azure_keyvault_name} | ||
|
|
||
| # Suppose there's a secret named client-secret in the keyvault, | ||
| # so a env var named CLIENT_SECRET should be created by the action. | ||
| # You won't see the secret value in the workflow log as it's masked by Github automatically. | ||
| - name: Use secrets from env var | ||
| run: | | ||
| echo $CLIENT_SECRET | ||
| echo ${{ env.CLIENT_SECRET }} | ||
| - name: Use secrets from output | ||
| run: | | ||
| echo $JSON_SECRETS | jq .CLIENT_SECRET -r | ||
| env: | ||
| JSON_SECRETS: ${{ steps.get-azure-keyvault-secrets.outputs.json }} | ||
| ``` | ||
| {% endraw %} |