NashTech Insights

Get in touch

GitHub Actions Workflow: Extracting Secrets from AWS Secret Manager

Vidushi Bansal
Vidushi Bansal
Table of Contents
woman working at home using laptop

In this blog we will have a look at the workflow file file for Github Actions to extract secrets from secret manager.

To retrieve secrets from AWS Secrets Manafer and use them in your Github Actions workflow, you can utilize the AWS CLI and the Github Actions ‘secrets’ context.

name: Deploy to Production
on:
push:
branches:
- main
jobs:
deploy:
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Get Secrets from AWS Secrets Manager
env:
AWS_REGION: us-east-1
run: |
# Install AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# Retrieve secrets from AWS Secrets Manager
SECRET_VALUE= $(aws secretsmanager get-secret-value --secret-id my-secret-id --region ${{env.AWS_REGION }} --query 'SecretString' --output text)
echo "::set-env name=MY_SECRET::$SECRET_VALUE"
- name: Deploy to Production
env:
MY_SECRET: ${{ env.MY_SECRET }}
run: |
# Use the secret in your deployment process
echo "Secret value: $MY_SECRET"
# Add your deployment commands here

In this example, we have a workflow named “Deploy to Production” triggered by a push event to the main branch. The workflow performs the following steps:

  1. It checks out the code from the repository using the actions/checkout action.
  2. It runs a step to retrieve the secret value from AWS Secrets Manager. The AWS_REGION environment variable specifies the AWS region where your secret is stored. Adjust it according to your setup. The awscli command is used to install the AWS CLI, and then the aws secretsmanager get-secret-value command retrieves the secret value based on the specified secret ID. The secret value is stored in an environment variable called MY_SECRET using the ::set-env command. Make sure to replace my-secret-id with your actual secret ID.
  3. Finally, in the deployment step, the MY_SECRET environment variable is referenced and can be used in your deployment commands or processes.

Note that the secret value retrieved from AWS Secrets Manager is securely stored as an environment variable using the set-env command. This ensures that the secret is masked in the logs and not exposed. Adjust the deployment step according to your specific deployment requirements.

Remember to properly manage access permissions for the AWS credentials used in your workflow and follow AWS security best practices for secret retrieval and management.

To simplify the process of extracting secrets from AWS Secrets Manager in GitHub Actions, you can use pre-defined actions available in the GitHub Marketplace. One popular option is the aws-actions/configure-aws-credentials action along with the aws-actions/secrets-manager-get-secret-value action. Here’s an example of how to use them:

name: Deploy to Production
on:
  push:
    branches:
    - main
jobs:
  deploy:
    runs-on: self-hosted
steps:
  - name: Checkout code
    uses: actions/checkout@v2

  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      aws-region: us-east-1

  - name: Get Secrets from AWS Secrets Manager
    id: get-secrets
    uses: aws-actions/secrets-manager-get-secret-value@v1
    with:
      secret-id: my-secret-id

  - name: Deploy to Production
    env:
      MY_SECRET: ${{ steps.get-secrets.outputs.secretValue }}
    run: |
      # Use the secret in your deployment process
      echo "Secret value: $MY_SECRET"
      # Add your deployment commands here

In this example, we’re using the aws-actions/configure-aws-credentials action to set up AWS credentials for subsequent actions. Replace $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY with your own secret names created in the GitHub repository secrets.

Then, we use the aws-actions/secrets-manager-get-secret-value action to retrieve the secret value from AWS Secrets Manager. Specify the secret-id parameter with the ID or ARN of your secret. The retrieved secret value is stored in the step output named secretValue.

Finally, in the deployment step, we reference steps.get-secrets.outputs.secretValue to access the secret value and assign it to the MY_SECRET environment variable. You can use this variable in your deployment commands or processes.

Make sure to adjust the region, secret ID, and deployment commands according to your specific setup and requirements.

Using pre-defined actions simplifies the process of integrating AWS Secrets Manager with GitHub Actions, provides better readability, and allows you to benefit from community-supported actions that handle the necessary authentication and API interactions.

Vidushi Bansal

Vidushi Bansal

Leave a Comment

Your email address will not be published. Required fields are marked *

Suggested Article

Optimizing System Health Through Continuous Performance Monitoring

Optimizing System Health Through Continuous Performance Monitoring

Bysushmanayak 4th October 2023 Quality Solutions

transforming legacy applications using the Strangler Fig Pattern

ByGeorge Lynch 3rd October 2023 Application Engineering
Best practices for effective TESTING Stage in CI/CD pipelines.

Best practices for effective TESTING Stage in CI/CD pipelines.

ByLe Cao 3rd October 2023 Application Engineering,Application Management Services
%d bloggers like this: