[FEAT]
navi86 opened this issue · 6 comments
Is your feature request related to a problem? Please describe.
I want to use approve but I don't want to store roleid and secretid in GitHub, so it should be possible to get them from env
I was trying to have env variables as "INPUT_ROLEID" https://github.com/hashicorp/vault-action/blob/main/dist/index.js#L12235 , but looks like I am missing something
Hi @navi86, have you tried setting the roleid and secretid as github secrets? That will make them available as environment variables, as mentioned here: https://github.com/hashicorp/vault-action#approle
@tvoran If I configure in GitHub secrets then everything is working, but as I mentioned earlier I don't want to use GitHub secret, I want to configure env variables inside my local GitHub runners.
Have you tried referencing the environment variables directly? If the roleId and secretId are set in your runner's environment, then something like this should work:
build:
runs-on: self-hosted
steps:
- uses: actions/checkout@v2
- run: |
echo "::add-mask::$VAULT_SECRET_ID" # keep the secret id out of the logs
echo "VAULT_SECRET_ID=$VAULT_SECRET_ID" >> $GITHUB_ENV
echo "VAULT_ROLE_ID=$VAULT_ROLE_ID" >> $GITHUB_ENV
- name: Import Secrets
uses: hashicorp/vault-action@v2
with:
url: https://vault.mycompany.com:8200
caCertificate: ${{ secrets.VAULT_CA_CERT }}
method: approle
roleId: ${{ env.VAULT_ROLE_ID }}
secretId: ${{ env.VAULT_SECRET_ID }}
secrets: |
secret/data/ci app_secret
The above worked for me, so I'll close this for now.
@tvoran
sorry for long response, yes, this is work, but anyone can by mistake print secret data to console, so it will be quite dangerous to do it.
Great, glad it's working for you! And yes, be sure to mask any secret data with the ::add-mask:: directive:
echo "::add-mask::$VAULT_SECRET_ID"