Question 280810 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Ubuntu – How to use azure key vault with github actions?

I have a github action where I am trying insert a secret from azure key vault into my appsettings.json. I was using, https://github.com/Azure/get-keyvault-secrets and it was working but getting a warning that it is deprecated.

The suggestion is to use azure/CLI@v1, https://github.com/Azure/cli. How do I setup the script so I can use the value of the secret in another step without using set-output as it is deprecated?

This works, but I don’t want to use set-output anymore because it is being disabled soon:

    - name: Get Appsettings Key Vault Secrets
      uses: azure/CLI@v1
      with:
        azcliversion: 2.30.0
        inlineScript: |
          echo "::set-output name=ApiKey::$(az keyvault secret show --vault-name keyvaultname --name ApiKey --query value -o tsv)"
      id: azKeyVaultAppSettings

I tried this

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3
    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: Get Appsettings Key Vault Secrets
      uses: azure/CLI@v1
      with:
        azcliversion: 2.30.0
        inlineScript: |
          echo "name=ApiKeyName::add-mask::$(az keyvault secret show --vault-name keyvaultname --name ApiKeyName --query value -o tsv)" >> $GITHUB_OUTPUT
      id: azKeyVaultAppSettings
- name: Setup .NET
      uses: actions/setup-dotnet@v2
      with:
        dotnet-version: 5.x
    - name: Restore dependencies
      run: dotnet restore
    - name: Build
      run: dotnet build --configuration Release --no-restore
    - name: Swap appsettings vals
      uses: microsoft/variable-substitution@v1
      with: 
        files: 'UI/appsettings.json'
      env:
        ApiKeyName: ${{ steps.azKeyVaultAppSettings.outputs.ApiKeyName }}

This is setting the value in the appsettings to an empty string. Also wondering how to set it up so when the Swap appsettings vals step runs it doesn’t out put the secret value.

Thank you!

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I was able to solve it by doing this:

        - name: Get Appsettings Key Vault Secrets
      run: |
        api_secret=$(az keyvault secret show --name MySecret --vault-name mykeyvault --query value -o tsv)
        echo "::add-mask::$api_secret"
        echo "ApiKey=$api_secret" >> "$GITHUB_OUTPUT"
      id: my-api-key  

    - name: Swap appsettings vals
      uses: microsoft/variable-substitution@v1
      with: 
        files: 'appsettings.json'
      env:
        ApiKey: ${{ steps.my-api-key.outputs.ApiKey}}

    I had to mask the secret so it wouldn't print in the logs. Set an id to be able to use the secret in the following step. I followed the example here for Masking a generated output within a single job https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions


  2. 0

    Try the below Github Action workflow to get the Key vault Secret in the next Step without using set-output like below:-

    My Github Action Workflow:-

    name: Azure Key Vault Secrets

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v2

    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}
   
    - name: Get Key Vault Secret
      run: |
        value1=$(az keyvault secret show --name secret2 --vault-name silicon-keyvault --query value -o tsv)
        echo "Secret Value: $value1"
        echo "SECRET_VALUE=$value1" >> $GITHUB_ENV
    
    - name: Output Secret Value
      run: echo "Secret Value is $SECRET_VALUE"

    Output:-

    enter image description here

    Reference My SO thread answer.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search