NavigationContentFooter
Jump toSuggest an edit

Fetching secrets from the Secret Manager using the Scaleway GitHub Action

Reviewed on 17 June 2024Published on 01 June 2023
  • secret-management
  • github-action
  • continuous-integration

GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.

In this tutorial, you will learn how to use the Scaleway Secret Manager GitHub Action in your GitHub Actions workflow to retrieve your secrets stored in Secret Manager and expose them as environment variables.

Oftentimes, when doing Continuous Integration/Continuous Deployment, you need to access secrets to log in to a Docker registry, push code changes, call APIs, etc.

A good practice is to use a Secret Manager to store your secrets, securely in one place. When doing that, you have to copy and paste your secrets and put them in your CI which duplicates the secrets and leads to desynchronization with your source of truth. This is where GitHub action is useful.

Before you start

To complete the actions presented below, you must have:

  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • A valid API key

Preparing your GitHub repository

You need to create the following secrets in your GitHub repository:

  • SCW_ACCESS_KEY: your API access key
  • SCW_SECRET_KEY: your API secret key
  • SCW_DEFAULT_ORGANIZATION_ID: your organization ID
  • SCW_DEFAULT_PROJECT_ID: the project ID where you have your secrets
  1. Navigate to Settings > Secrets and Variables > Actions of your GitHub repository.
  2. Click New repository secret and fill in the Name and Secret fields.
  3. Click Add secret.
  4. Repeat the steps above until you have created all the secrets.
Note

GitHub secrets are immutable. If you want to update the value, you need to delete the current secret and create a new one.

Use GitHub Action in your workflow

For this tutorial, we suppose you have a workflow defined in .github/workflows/test.yml.

  1. Add the following code to use the action:

    [...]
    steps:
    [...]
    - uses: scaleway/action-scw-secret@v0
    with:
    secret-names: |
    my-github-secret
    access-key: ${{ secrets.SCW_ACCESS_KEY }}
    secret-key: ${{ secrets.SCW_SECRET_KEY }}
    default-project-id: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
    default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
    [...]

    This will tell the GitHub action to access the latest version of your secret called my-github-secret and will expose its value as the environment variable MY_GITHUB_SECRET.

  2. Use this environment variable in the following steps of the job as follows:

    [...]
    - run: echo "Successfully retrieve 'my-github-secret' with value $MY_GITHUB_SECRET"

    The value displays as *** in the logs of your action to prevent the secret value from being leaked.

Resources

The full content of the workflow described above is the following:

name: Scaleway get secrets action test
on: [push]
jobs:
test-scaleway-get-secrets:
runs-on: ubuntu-latest
steps:
- uses: scaleway/action-scw-secret@v0
with:
secret-names: |
my-github-secret
access-key: ${{ secrets.SCW_ACCESS_KEY }}
secret-key: ${{ secrets.SCW_SECRET_KEY }}
default-project-id: ${{ secrets.SCW_DEFAULT_PROJECT_ID }}
default-organization-id: ${{ secrets.SCW_DEFAULT_ORGANIZATION_ID }}
- run: echo "Successfully retrieve 'my-github-secret' with value $MY_GITHUB_SECRET"
Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway