Use Azure key vault in an action

You can and maybe should use a separate and centralized location to store your secrets as opposed to using GitHub Secrets itself. By using a centralized location you can better control where your (probably multiple) secrets are and thus be sure that you are in control. If you store the secrets in GitHub they are still secure but maybe harder to keep control of. You may have secrets in multiple GitHub repository or organizations. It could quickly become a bit chaotic.

This page will step through a configration that uses an Azure key vault to store the secrets of an service principle with contributor rights.

Prerequisites

  • You need an Azure Key vault

Create the service principle that can read the key vault

  • This SPN will have get and list permissions agains the Azure Key vault but this command just creates the SPN with no roles or rights yet
  • Give it a name such as ‘spn-reader-{target}’
  • Keep the JSON output ready for the next step

az ad sp create-for-rbac --name "spn-reader-example"

Create an Azure service principal name (SPN) with a client secret

Add the SPN with read rights to the GitHub secrets

  • In the GitHub repository from which the action will run go to Settings > Security > Secrets > Actions
  • Create a new secret called AZURE_CREDENTIALS
  • Use the JSON output from the SPN creation task as the secret. Keep the curly brackets in the paste as per the example below
{
  "appId": "00000000-00000-0000-0000-000000000000",
  "displayName": "spn-reader-examle",
  "password": "0000000000000000000000000000000000000000",
  "tenant": "00000000-0000-0000-0000-000000000000"
}

Assign read rights to the key vault

  • This will assign get and list rights for the SPN created in the previous step to the key vault access policy
  • The appID is the value generated as the output from the SPN create step

az keyvault set-policy -n {keyVaultName} --secret-permissions get list --spn {appID}

Create the service principle with the contributor role

  • This SPN will have the contrubitur role assigned so it can perform CRUD operations against the target
  • Give it a name such as ‘spn-contributor-{target}’

az ad sp create-for-rbac --name "spn-contributor-example" --role="Contributor" --scopes="/subscriptions/00000000-0000-0000-0000-000000000000"

Create an Azure service principal name (SPN) with a client secret

References

Use Key Vault secrets in GitHub Actions workflows

Last modified July 21, 2024: update (e2ae86c)