GitHub Actions
Keeper Secrets Manager integration into GitHub Actions for dynamic secrets retrieval

Prerequisites

This page documents the Secrets Manager GitHub Actions integration. In order to utilize this integration, you will need:
  • Keeper Secrets Manager access (See the Quick Start Guide for more details)
    • Secrets Manager addon enabled for your Keeper account
    • Membership in a Role with the Secrets Manager enforcement policy enabled
  • A Keeper Secrets Manager Application with secrets shared to it
  • An initialized Keeper Secrets Manager Configuration
    • The GitHub Actions integration accepts JSON and Base64 format configurations

Overview

This action securely retrieves secrets from Keeper and places them to the desired destination of the GitHub Actions runner such as an environment variable, output parameters of the step or to the file.

Quick Start

Below example shows all available functionality of this plugin
1
on:
2
push:
3
branches: [ master ]
4
5
jobs:
6
buildexecutable:
7
runs-on: ubuntu-latest
8
name: Build with Keeper secrets
9
steps:
10
11
- name: Retrieve secrets from Keeper
12
id: ksecrets
13
uses: Keeper-Security/ksm-[email protected]
14
with:
15
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
16
secrets: |
17
uid123/field/password > PASSWORD
18
uid234/field/password > env:PASSWORD
19
uid234/field/login > LOGIN
20
uid234/custom_field/Cust1 > env:CUST1
21
uid321/file/Certificate.crt > file:/tmp/Certificate.crt
22
23
# View secret stored into 'PASSWORD' environment variable
24
- name: Print password
25
run: |
26
echo "Password is ${{ env.PASSWORD }}"
27
echo "Login is ${{ steps.ksecrets.outputs.LOGIN }}"
Copied!
You will need to provide two inputs to utilize the Github Actions plugin:

Inputs

keeper-secret-config

Secrets configuration. See documentation for more information about creating a configuration.
JSON type configuration is supported.
Example:
1
keeper-secret-config: ${{ secrets.KSM_CONFIG }}
Copied!
We recommend storing the configuration in a Github Actions secret and accessing it as a variable, as shown in the example above.

secrets

Queries using Keeper Notation to access fields in Keeper records.
The secrets input is the list of secrets that you need to get from Keeper and put into either an environment variable, GitHub Action output or a file.
Example:
1
secrets: |
2
uid123/field/password > APP_PASSWORD
3
uid234/field/password > env:DB_PASSWORD
4
uid321/file/Certificate.crt > file:/tmp/Certificate.crt
Copied!
The first part is the id of the secret using the Keeper Notation format.
The second part defines the destination of the secret in the GitHub runner.
Notation\Destination prefix
Default (empty)
env:
file:
field or custom_field
Notation query result is placed into step's output
Notation query result is placed into environment variable
Not allowed
file
file is downloaded and placed into destination
file is downloaded and placed into destination
file is downloaded and placed into destination

Masking - Hiding Secrets from Logs

This action uses GitHub Action's built-in masking, so all variables will automatically be masked if printed to the console or to logs. This only obscures secrets from output logs. If someone has the ability to edit your workflows, then they are able to read and therefore write secrets to somewhere else just like normal GitHub Secrets.
Last modified 26d ago