GitHub Actions

Keeper Secrets Manager integration into GitHub Actions for dynamic secrets retrieval

Overview

This action securely retrieves secrets from Keeper and places them to the desired destination of the GitHub Actions runner such as an environment variable, output parameters of the step or to the file.

Quick Start

Below example shows all available functionality this plugin

on:
push:
branches: [ master ]
jobs:
buildexecutable:
runs-on: ubuntu-latest
name: Build with Keeper secrets
steps:
- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-[email protected]
with:
keeper-secret-config: ${{ secrets.KEEPER_SECRET_CONFIG }}
secrets: |
uid123/field/password > PASSWORD
uid234/field/password > env:PASSWORD
uid234/field/login > LOGIN
uid234/custom_field/Cust1 > env:CUST1
uid321/file/Certificate.crt > file:/tmp/Certificate.crt
# View secret stored into 'PASSWORD' environment variable
- name: Print password
run: |
echo "Password is ${{ env.PASSWORD }}"
echo "Login is ${{ steps.ksecrets.outputs.LOGIN }}"

Inputs

keeper-secret-config - Required

Secrets configuration json injected from the secrets

Example:

keeper-secret-config: ${{ secrets.KEEPER_SECRET_KEY }}

secrets - Required

secrets: |
uid123/field/password > APP_PASSWORD
uid234/field/password > env:DB_PASSWORD

The “secrets” input is the list of secrets that you need to get from Keeper and put into either an environment variable, GitHub Action output or a file. The first part is the id of the secret using the KSM Notation format. The second part defines the destination of the secret in the GitHub runner.

Notation\Destination prefix

Default (empty)

env:

file:

field or custom_field

Notation query result is placed into step's output

Notation query result is placed into environment variable

Not allowed

file

file is downloaded and placed into destination

file is downloaded and placed into destination

file is downloaded and placed into destination

Masking - Hiding Secrets from Logs

This action uses GitHub Action's built-in masking, so all variables will automatically be masked if printed to the console or to logs. This only obscures secrets from output logs. If someone has the ability to edit your workflows, then they are able to read and therefore write secrets to somewhere else just like normal GitHub Secrets.