Keeper Secrets Manager integration into GitHub Actions for dynamic secrets retrieval
Retrieve secrets from the Keeper Vault within the Github Actions runner
Set secret credentials as build arguments or environment variables in Github Actions scripts
Copy secure files from the Keeper Vault
The below overview video covers basic setup and ends with a basic Github Actions integration.
This page documents the Secrets Manager GitHub Actions integration. In order to utilize this integration, you will need:
Keeper Secrets Manager access (See the for more details)
Secrets Manager addon enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
This action securely retrieves secrets from Keeper and places them to the desired destination of the GitHub Actions runner such as an environment variable, output parameters of the step or to the file.
Below example shows all available functionality of this plugin
You will need to provide two inputs to utilize the Github Actions plugin:
A
Github Actions supports JSON type configuration
queries for secrets
keeper-secret-configSecrets configuration. See for more information about creating a configuration.
JSON type configuration is supported.
Example:
We recommend storing the configuration in a Github Actions secret and accessing it as a variable, as shown in the example above.
secrets Queries using Keeper Notation to access fields in Keeper records.
The secrets input is the list of secrets that you need to get from Keeper and put into either an environment variable, GitHub Action output or a file.
Example:
The first part is the id of the secret using the format.
The second part defines the destination of the secret in the GitHub runner.
This action uses GitHub Action's built-in masking, so all variables will automatically be masked if printed to the console or to logs. This only obscures secrets from output logs. If someone has the ability to edit your workflows, then they are able to read and therefore write secrets to somewhere else just like normal GitHub Secrets.
Find the Keeper Secrets Manager Github Actions plugin source code in the
See the Quick Start Guide for instructions on creating an Application
An initialized Keeper Secrets Manager Configuration
The GitHub Actions integration accepts JSON and Base64 format configurations
field or custom_field
Notation query result is placed into step's output
Notation query result is placed into environment variable
Not allowed
file
file is downloaded and placed into destination
file is downloaded and placed into destination
file is downloaded and placed into destination
on:
push:
branches: [ master ]
jobs:
buildexecutable:
runs-on: ubuntu-latest
name: Build with Keeper secrets
steps:
- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@master
with:
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
secrets: |-
# Reference records by UID
uid123/field/password > PASSWORD
uid234/field/password > env:PASSWORD
uid234/field/login > LOGIN
uid234/custom_field/Cust1 > env:CUST1
uid321/file/Certificate.crt > file:/tmp/Certificate.crt
# Reference records by title - see Keeper Notation for full detail
Server1/field/password > PASSWORD1
Server2/field/password > PASSWORD2
# View secret stored into 'PASSWORD' environment variable
- name: Print password
run: |
echo "Password is ${{ env.PASSWORD }}"
echo "Login is ${{ steps.ksecrets.outputs.LOGIN }}"keeper-secret-config: ${{ secrets.KSM_CONFIG }}secrets: |-
# Reference records by UID
uid123/field/password > APP_PASSWORD
uid234/field/password > env:DB_PASSWORD
uid321/file/Certificate.crt > file:/tmp/Certificate.crt
# Reference records by title - see Keeper Notation for full detail
App1/field/password > PASSWORD1
DB2/field/password > PASSWORD2