Skip to content
google-github-actions

GitHub Action

Get Secret Manager secrets

v0.2.1 Latest version
Use latest version
google-github-actions

Get Secret Manager secrets

Get secrets from Google Secret Manager and make their results available as output variables

Installation

Copy and paste the following snippet into your .yml file.

- name: Get Secret Manager secrets
  uses: google-github-actions/[email protected]
Learn more about this action in google-github-actions/get-secretmanager-secrets
Choose a version

get-secretmanager-secrets

This action fetches secrets from Secret Manager and makes them available to later build steps via outputs. This is useful when you want Secret Manager to be the source of truth for secrets in your organization, but you need access to those secrets in build steps.

Secrets that are successfully fetched are set as output variables and can be used in subsequent actions. After a secret is accessed, its value is added to the mask of the build to reduce the chance of it being printed or logged by later steps.

Prerequisites

  • This action requires Google Cloud credentials that are authorized to access the secrets being requested. See the Authorization section below for more information.

Usage

steps:
- id: secrets
  uses: google-github-actions/[email protected]
  with:
    secrets: |-
      token:my-project/docker-registry-token

# Example of using the output
- id: publish
  uses: foo/[email protected]
  env:
    TOKEN: ${{ steps.secrets.outputs.token }}

Inputs

  • secrets: (Required) The list of secrets to access and inject into the environment. Due to limitations with GitHub Actions inputs, this is specified as a string.

    You can specify multiple secrets by putting each secret on its own line:

    secrets: |-
      output1:my-project/my-secret1
      output2:my-project/my-secret2

    Secrets can be referenced using the following formats:

    # Long form
    projects/<project-id>/secrets/<secret-id>/versions/<version-id>
    
    # Long form - "latest" version
    projects/<project-id>/secrets/<secret-id>
    
    # Short form
    <project-id>/<secret-id>/<version-id>
    
    # Short form - "latest" version
    <project-id>/<secret-id>
    
  • credentials: (Optional) Google Service Account JSON credentials, typically sourced from a GitHub Secret. If unspecified, other authentication methods are attempted.

Outputs

Each secret is prefixed with an output name. The secret's resolved access value will be available at that output in future build steps.

For example:

steps:
- id: secrets
  uses: google-github-actions/[email protected]
  with:
    secrets: |-
      token:my-project/docker-registry-token

will be available in future steps as the output "token":

- id: publish
  uses: foo/[email protected]
  env:
    TOKEN: ${{ steps.secrets.outputs.token }}

Authorization

There are a few ways to authenticate this action. The caller must have permissions to access the secrets being requested.

Via the setup-gcloud action

You can provide credentials using the setup-gcloud action:

- uses: google-github-actions/[email protected]
  with:
    project_id: ${{ env.PROJECT_ID}}
    service_account_key: ${{ secrets.GCP_SA_KEY }}
    export_default_credentials: true
- uses: google-github-actions/[email protected]

The advantage of this approach is that it authenticates all future actions. A disadvantage of this approach is that downloading and installing gcloud may be heavy for some use cases.

Via credentials

You can provide Google Cloud Service Account JSON directly to the action by specifying the credentials input. First, create a GitHub Secret that contains the JSON content, then import it into the action:

- id: secrets
  uses: google-github-actions/[email protected]
  with:
    credentials: ${{ secrets.gcp_credentials }}
    secrets: |-
      # ...

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

- id: secrets
  uses: google-github-actions/[email protected]

The action will automatically detect and use the Application Default Credentials.