Well-Architected Framework
GitHub Actions
You can choose from several effective methods to integrate Vault with GitHub Actions to manage pipeline secrets. Use this section to discover approaches to authenticate with Vault and retrieve secrets with GitHub Actions, and to learn more about the solution that best fits your requirements.
Use the GitHub OIDC provider
You can use the GitHub OIDC provider with Vault's JWT auth method to authenticate, and retrieve pipeline secrets from Vault. The HashiCorp Validated Pattern Retrieve Vault secrets from GitHub Actions details the background and best practices for using this approach, along with validated architecture, and complete implementation examples using HCP Vault.
When you use this approach for managing GitHub Actions pipeline secrets, you gain a scalable solution that simplifies management, uses the principle of least privilege, and eliminates long-lived static credentials. You can also audit the complete secrets management solution.
HashiCorp resources:
- Retrieve Vault secrets from GitHub Actions
- Using OIDC With HashiCorp Vault and GitHub Actions (video)
- Building Scalable Enterprise Secrets Management with GitHub OIDC and HashiCorp Vault (video)
External resources:
Use Vault secrets sync
Vault Secrets Sync provides an alternative solution for managing GitHub Actions pipeline secrets that is useful in cases where using the GitHub OIDC provider is not a feasible approach. This approach simplifies configuration, and allows you to select specific secrets or secret paths for synchronization from Vault to GitHub as repository or environment secrets.
When you use this approach you gain several benefits:
- Unlike with other approaches, you do not need to include authentication code in your workflow.
- Secrets Sync works with all runner types without extra configuration.
- When you rotate secrets in Vault, they automatically synchronize to GitHub.
- Simpler developer workflow; access secrets using familiar GitHub Action syntax without the need to learn Vault details. HashiCorp resources:
- Maintain centralized policy and audit controls.
- Repository level access control.
The Secrets Sync approach does have some limitations:
Supports only static key/value (KV) Vault secrets engines.
Copies secrets into GitHub instead of just-in-time access.
Can require extra management of GitHub Personal Access Tokens or App Tokens for authentication.
Developer's Guide to HCP Vault, Part 3: Secrets sync (video)
External resources:
Use the HashiCorp Vault GitHub Action
HashiCorp provides an official Vault GitHub Action that integrates with your GitHub Actions CI/CD pipelines. The Vault GitHub Action supports several auth methods, allowing you to implement the approach that works best with your CI/CD workflow. We recommend using the JWT authentication method with GitHub OIDC tokens or the AppRole authentication method for this solution. Review the Vault GitHub Action documentation auth methods section to learn more.
Once authenticated with Vault, GitHub Actions pipelines can request secrets from any Vault secrets engine that supports retrieval via GET requests. For example, you can use the AWS secrets engine to generate and retrieve dynamic AWS credentials, as this secrets engine uses GET requests for credential retrieval.
HashiCorp resources:
- Vault GitHub Action
- Vault GitHub Action repository
- Automate workflows with Vault GitHub actions
- Integrate with GitHub Actions
- Learn Vault GitHub Actions (example code)
- Secure Developer Workflows with Vault & GitHub Actions (video)
- Secure GitOps Workflows with GitHub Actions and HashiCorp Vault (video)
External resources:
- Push button security for your GitHub Actions
- How to Use HashiCorp Vault Action
- Vault GitHub Actions example
- Automate Workflows w/ HashiCorp Vault GitHub Actions (video)
Next steps
In this section of managing CI/CD secrets, you learned about GitHub Actions and Vault integration. GitHub Actions and Vault integration is part of the Secure systems pillar.