GitHub Actionsへのシークレットマネージャー連携と動的なシークレット取得
keeper-secret-configsecretscreate-if-missingfolder-uidnew-record-typefail-on-store-errorallow-empty-values最終更新
- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@v1
with:
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
secrets: |-
uid123/field/password > env:DB_PASSWORD
uid234/field/login > LOGIN
uid321/file/Certificate.crt > file:/tmp/Certificate.crt- name: Use retrieved secrets
run: |
echo "DB password is set in env: ${{ env.DB_PASSWORD }}"
echo "Login is in step output: ${{ steps.ksecrets.outputs.LOGIN }}"- name: Rotate database password
uses: Keeper-Security/ksm-action@v1
with:
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
secrets: |-
# Store from a GitHub Actions expression
uid123/field/password < ${{ steps.generate.outputs.NEW_PASSWORD }}
# Or from an env var: uid123/field/password < env:NEW_PASSWORD
# Or from a file: uid123/field/password < file:./new-password.txt
# Upload a file to a record
uid456/file < file:./renewed-cert.pem- name: Rotate and confirm
id: ksecrets
uses: Keeper-Security/ksm-action@v1
with:
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
secrets: |-
uid123/field/password > OLD_PASSWORD
uid123/field/password < ${{ steps.generate.outputs.NEW_PASSWORD }}keeper-secret-config: ${{ secrets.KSM_CONFIG }}RecordUID/field/fieldname > DESTINATIONRecordUID/field/fieldname < SOURCEsecrets: |-
# Retrieve
uid123/field/password > env:DB_PASSWORD
uid234/field/login > LOGIN
uid321/file/Certificate.crt > file:/tmp/Certificate.crt
# Store
uid123/field/password < ${{ steps.generate.outputs.NEW_PW }}
uid456/field/apiKey < env:GENERATED_KEY
uid789/file < file:./renewed-cert.pem- name: Store secret, create record if needed
uses: Keeper-Security/ksm-action@v1
with:
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
create-if-missing: true
folder-uid: XXXXXXXXXXXXXXXXXXXX
secrets: |-
MyApp/field/apiKey < ${{ steps.generate.outputs.API_KEY }}