Search code examples
azuregithub-actionsazure-keyvault

How to use azure key vault with github actions?

I have a github action where I am trying insert a secret from azure key vault into my appsettings.json. I was using, https://github.com/Azure/get-keyvault-secrets and it was working but getting a warning that it is deprecated.

The suggestion is to use azure/CLI@v1, https://github.com/Azure/cli. How do I setup the script so I can use the value of the secret in another step without using set-output as it is deprecated?

This works, but I don't want to use set-output anymore because it is being disabled soon:

    - name: Get Appsettings Key Vault Secrets
      uses: azure/CLI@v1
      with:
        azcliversion: 2.30.0
        inlineScript: |
          echo "::set-output name=ApiKey::$(az keyvault secret show --vault-name keyvaultname --name ApiKey --query value -o tsv)"
      id: azKeyVaultAppSettings

I tried this

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3
    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: Get Appsettings Key Vault Secrets
      uses: azure/CLI@v1
      with:
        azcliversion: 2.30.0
        inlineScript: |
          echo "name=ApiKeyName::add-mask::$(az keyvault secret show --vault-name keyvaultname --name ApiKeyName --query value -o tsv)" >> $GITHUB_OUTPUT
      id: azKeyVaultAppSettings
- name: Setup .NET
      uses: actions/setup-dotnet@v2
      with:
        dotnet-version: 5.x
    - name: Restore dependencies
      run: dotnet restore
    - name: Build
      run: dotnet build --configuration Release --no-restore
    - name: Swap appsettings vals
      uses: microsoft/variable-substitution@v1
      with: 
        files: 'UI/appsettings.json'
      env:
        ApiKeyName: ${{ steps.azKeyVaultAppSettings.outputs.ApiKeyName }}

This is setting the value in the appsettings to an empty string. Also wondering how to set it up so when the Swap appsettings vals step runs it doesn't out put the secret value.

Thank you!

Solution

  • I was able to solve it by doing this:

        - name: Get Appsettings Key Vault Secrets
      run: |
        api_secret=$(az keyvault secret show --name MySecret --vault-name mykeyvault --query value -o tsv)
        echo "::add-mask::$api_secret"
        echo "ApiKey=$api_secret" >> "$GITHUB_OUTPUT"
      id: my-api-key  

    - name: Swap appsettings vals
      uses: microsoft/variable-substitution@v1
      with: 
        files: 'appsettings.json'
      env:
        ApiKey: ${{ steps.my-api-key.outputs.ApiKey}}

    I had to mask the secret so it wouldn't print in the logs. Set an id to be able to use the secret in the following step. I followed the example here for Masking a generated output within a single job https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions