Skip to content

Use Azure Key Vault in GitHub Actions

Using a centralized location like Azure Key Vault to store secrets provides better control and management compared to storing secrets directly in GitHub. This approach is especially useful when managing secrets across multiple repositories or organizations.


Prerequisites

  • An Azure Key Vault

Create a Service Principal for Key Vault Access

Create a service principal (SPN) with no roles or rights yet. This SPN will have get and list permissions on the Key Vault.

az ad sp create-for-rbac --name "spn-reader-example"

Keep the JSON output for the next step.

Add the SPN to GitHub Secrets

In your GitHub repository, go to Settings > Security > Secrets > Actions and create a new secret called AZURE_CREDENTIALS. Paste the JSON output from the SPN creation:

{
  "appId": "00000000-00000-0000-0000-000000000000",
  "displayName": "spn-reader-example",
  "password": "0000000000000000000000000000000000000000",
  "tenant": "00000000-0000-0000-0000-000000000000"
}

Assign Read Rights to the Key Vault

Assign get and list rights for the SPN to the Key Vault access policy:

az keyvault set-policy -n {keyVaultName} --secret-permissions get list --spn {appID}

Create a Service Principal with Contributor Role

Create an SPN with the Contributor role for CRUD operations:

az ad sp create-for-rbac --name "spn-contributor-example" --role="Contributor" --scopes="/subscriptions/00000000-0000-0000-0000-000000000000"

Create an Azure service principal name (SPN) with a client secret