Use Key Vault secrets in GitHub Actions workflows

Note

The Azure Key Vault action is deprecated. The recommended alternative is to use the Azure CLI action and pass a custom script to access Azure Key Vault.

Use Key Vault secrets in your GitHub Actions and securely store passwords and other secrets in an Azure Key Vault. Learn more about Key Vault.

Key Vault secrets differ from GitHub secrets:

  • Key Vault lets you centralize storage of application secrets in Azure. GitHub secrets are stored in GitHub
  • Key Vault can be used as a key and certificate management solutions, in addition to a tool for secrets management
  • Key Vault uses Azure role-based access control (Azure RBAC) for access

When you combine Key Vault and GitHub Actions, you have the benefits of a centralized secrets management tool and all the advantages of GitHub Actions.

Prerequisites

Workflow file overview

The YAML workflow file includes two sections:

Section Tasks
Authentication 1. Define a service principal.
2. Create a GitHub secret.
3. Add a role assignment.
Key Vault 1. Add the key vault action.
2. Reference the key vault secret.

Learn more about the components of GitHub Actions.

Define a service principal

You can create a service principal with the az ad sp create-for-rbac command in the Azure CLI. Run this command with Azure Cloud Shell in the Azure portal or by selecting the Try it button.

   az ad sp create-for-rbac --name {myApp} --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/{MyResourceGroup} --sdk-auth

In the example above, replace the placeholders with your subscription ID and resource group name. Replace the placeholder myApp with the name of your application. The output is a JSON object with the role assignment credentials that provide access to your App Service app similar to below. Copy this JSON object for later. You can shorten the JSON object to only include the lines with the clientId, clientSecret, subscriptionId, and tenantId values.

  {
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
    (...)
  }

Create a GitHub secret

Create secrets for your Azure credentials, resource group, and subscriptions.

  1. In GitHub, go to your repository.

  2. Select Security > Secrets and variables > Actions.

    Screenshot of select Actions menu item.

  3. Select New repository secret.

  4. Paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name AZURE_CREDENTIALS.

  5. Select Add secret.

Add a role assignment

Grant access to the Azure service principal so that you can access your key vault for get and list operations. If you don't do this, then you will not be able to use the service principal.

Replace keyVaultName with the name of your key vault and clientIdGUID with the value of your clientId.

    az keyvault set-policy -n {keyVaultName} --secret-permissions get list --spn {clientIdGUID}

Add the key vault action

With the Azure Key Vault action, you can fetch one or more secrets from a key vault instance and consume it in your GitHub Actions workflows.

Secrets fetched are set as outputs and also as environment variables. Variables are automatically masked when they are printed to the console or to logs.

    - uses: Azure/get-keyvault-secrets@v1
      with:
        keyvault: "my Vault" # name of key vault in Azure portal
        secrets: 'mySecret'  # comma separated list of secret keys to fetch from key vault 
      id: myGetSecretAction # ID for secrets that you will reference

Add the Azure Login Action

For GitHub actions that don't use public endpoints, you may need to configure the Azure Login Action.

Reference the key vault secret

To use a key vault in your workflow, you need both the key vault action and to reference that action.

In this example, the key vault is named containervault. Two key vault secrets are added to the environment with the key vault action - containerPassword and containerUsername.

The key vault values are later referenced in the docker login task with the prefix steps.myGetSecretAction.outputs. For example, the username value is referenced as ${{ steps.myGetSecretAction.outputs.containerUsername }}.

The syntax for referencing GitHub secret is different. In the checkout action, the AZURE_CREDENTIALS secret is referenced with ${{ secrets.AZURE_CREDENTIALS }}.

name: Example key vault flow

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    # checkout the repo
    - uses: actions/checkout@v2
    - uses: Azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}
    - uses: Azure/get-keyvault-secrets@v1
      with: 
        keyvault: "containervault"
        secrets: 'containerPassword, containerUsername'
      id: myGetSecretAction
    - uses: azure/docker-login@v1
      with:
        login-server: myregistry.azurecr.io
        username: ${{ steps.myGetSecretAction.outputs.containerUsername }}
        password: ${{ steps.myGetSecretAction.outputs.containerPassword }}
    - run: |
        docker build . -t myregistry.azurecr.io/myapp:${{ github.sha }}
        docker push myregistry.azurecr.io/myapp:${{ github.sha }}     
    - uses: azure/webapps-deploy@v2
      with:
        app-name: 'myapp'
        publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
        images: 'myregistry.azurecr.io/myapp:${{ github.sha }}'

Clean up resources

When your Azure app, GitHub repository, and key vault are no longer needed, clean up the resources you deployed by deleting the resource group for the app, GitHub repository, and key vault.

Next steps