Use Azure Key Vault in GitHub Actions¶
Using a centralized location like Azure Key Vault to store secrets provides better control and management compared to storing secrets directly in GitHub. This approach is especially useful when managing secrets across multiple repositories or organizations.
Prerequisites¶
- An Azure Key Vault
Create a Service Principal for Key Vault Access¶
Create a service principal (SPN) with no roles or rights yet. This SPN will have get
and list
permissions on the Key Vault.
Keep the JSON output for the next step.
Add the SPN to GitHub Secrets¶
In your GitHub repository, go to Settings > Security > Secrets > Actions and create a new secret called AZURE_CREDENTIALS
. Paste the JSON output from the SPN creation:
{
"appId": "00000000-00000-0000-0000-000000000000",
"displayName": "spn-reader-example",
"password": "0000000000000000000000000000000000000000",
"tenant": "00000000-0000-0000-0000-000000000000"
}
Assign Read Rights to the Key Vault¶
Assign get
and list
rights for the SPN to the Key Vault access policy:
Create a Service Principal with Contributor Role¶
Create an SPN with the Contributor role for CRUD operations:
az ad sp create-for-rbac --name "spn-contributor-example" --role="Contributor" --scopes="/subscriptions/00000000-0000-0000-0000-000000000000"
Create an Azure service principal name (SPN) with a client secret