This GitHub Action helps you define your secrets that stored in AWS Secrets Manager to environment values.
1. Using github openid-connect (Recommented)
steps:
- name: Store ENV from AWS SecretManager
uses: say8425/aws-secrets-manager-actions@v2
with:
AWS_DEFAULT_REGION: "YOUR-AWS-REGION"
SECRET_NAME: ${{ env.SECRET_NAME }}
OUTPUT_PATH: '.env' # optional
steps:
- name: Store ENV from AWS SecretManager
uses: say8425/aws-secrets-manager-actions@v2
with:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
SECRET_NAME: ${{ secrets.SECRET_NAME }}
OUTPUT_PATH: '.env' # optional
Add your AWS IAM keys and you secret name that you want to use from your AWS Secrets Manager secrets list. Then your secrets will be defined environment values.
You need AWS IAM user that has proper policy to access AWS Secrets Manager.
If you have it, then add this IAM user keys at AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and region AWS_DEFAULT_REGION
.
But we greatly recommend to store these keys at GitHub Secrets.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
If you need policy example, then feel free to use this above policy. And you can get more information at AWS User Guide.
Add you want to use secret name from your AWS Secrets Manager secrets list. You can use only one secret name.
Your secrets will be environment values.
And these environment values are masked with ***
. So never be revealed.
Most of the secrets are can be parsed.
But some case, parsing can be failed, like invalid json.
In this case, this unparsed raw sting will be stored in asm_secret
env key.
You can export these environment variables to file with OUTPUT_PATH
input parameter.
When you define OUTPUT_PATH
, then action create a file named as you defined.
And environments will be exported into this file.
Your Contributions are always welcome! Feel free to check issues or Pull Requests
This project is MIT licensed.