forked from cmancone/akeyless-action
-
Notifications
You must be signed in to change notification settings - Fork 4
136 lines (117 loc) · 4.69 KB
/
dynamic-azure-ad.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: 'Azure AD Dynamic Secrets'
# Docs => https://docs.akeyless.io/docs/azure-ad-dynamic-secrets
on:
workflow_dispatch:
push:
branches:
- main
paths:
- 'src/**/*'
- 'package.json'
- 'package-lock.json'
- '.github/workflows/dynamic-azure-ad.yml'
jobs:
##############################
########## Option 1 ##########
##############################
# - Uses default behavior
# The response from Akeyless is kept in it's original JSON string. It is then your responsibility to correctly parse it.
fetch_dynamic_secrets:
runs-on: ubuntu-latest
name: AAD dynamic secrets (default)
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Fetch dynamic secret from Akleyless
id: fetch-secrets
uses: ./
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
dynamic-secrets: '{"/DevTools/dvlup-azure":"azure_ad_dynamic_secret"}'
# See other example workflows on how to manually parse each key value => https://github.com/LanceMcCarthy/akeyless-action/blob/main/.github/workflows/dynamic-github.yml#L35-L53
# For this demo we'll just use jq and export them to custom env vars directly
- name: Export Secrets to Environment using jq
run: |
echo '${{ steps.fetch-secrets.outputs.azure_ad_dynamic_secret }}' | jq -r 'to_entries|map("AKEYLESS_AZURE_AD_\(.key|ascii_upcase)=\(.value|tostring)")|.[]' >> $GITHUB_ENV
- name: Verify exported variables
run: |
echo "id: ${{ env.AKEYLESS_AZURE_AD_ID }}"
echo "msg: ${{ env.AKEYLESS_AZURE_AD_MSG }}"
echo "secret: ${{ env.AKEYLESS_AZURE_AD_SECRET }}"
echo "ttl_in_minutes: ${{ env.AKEYLESS_AZURE_AD_TTL_IN_MINUTES }}"
##############################
########## Option 2 ##########
##############################
# - Uses 'parse-dynamic-secrets: true'
# This will automatically parse the JSON string into individual outputs
auto_parsed_secrets:
runs-on: ubuntu-latest
name: AAD dynamic secrets (parsed)
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Fetch dynamic secret from Akleyless
id: fetch-secrets
uses: ./
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
dynamic-secrets: '{"/DevTools/dvlup-azure":""}' #no prefix, all output fields are dynamically parsed from source
parse-dynamic-secrets: true
- name: Verify Job Outputs (to known field names, pre-parsed)
run: |
echo "ID: ${{ steps.fetch-secrets.outputs.id }}"
echo "MSG: ${{ steps.fetch-secrets.outputs.msg }}"
echo "SECRET: ${{ steps.fetch-secrets.outputs.secret }}"
echo "TTL_IN_MINUTES: ${{ steps.fetch-secrets.outputs.ttl_in_minutes }}"
- name: Verify Environment Variables (to known field names, pre-parsed)
run: |
echo "ID: ${{ env.id }}"
echo "MSG: ${{ env.msg }}"
echo "SECRET: ${{ env.secret }}"
echo "TTL_IN_MINUTES: ${{ env.ttl_in_minutes }}"
##############################
########## Option 3 ##########
##############################
# - Uses 'parse-dynamic-secrets: true'
# - Uses 'AZURE_AD' as a prefix to the output names
# This is the same as Option 2, but with a known prefix to help avoid conflicts with other variable names
auto_parsed_secrets_with_prefix:
runs-on: ubuntu-latest
name: AAD dynamic secrets (prefix-parsed)
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Fetch dynamic secret from Akleyless
id: fetch-secrets
uses: ./
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
dynamic-secrets: '{"/DevTools/dvlup-azure":"AZURE_AD"}' #applies "AZURE_AD_" prefix to dynamically parsed output names
parse-dynamic-secrets: true
- name: Verify Job Outputs (to known field names, pre-parsed with prefix)
run: |
echo "ID: ${{ steps.fetch-secrets.outputs.AZURE_AD_id }}"
echo "MSG: ${{ steps.fetch-secrets.outputs.AZURE_AD_msg }}"
echo "SECRET: ${{ steps.fetch-secrets.outputs.AZURE_AD_secret }}"
echo "TTL_IN_MINUTES: ${{ steps.fetch-secrets.outputs.AZURE_AD_ttl_in_minutes }}"
- name: Verify Environment Variables (to known field names, pre-parsed with prefix)
run: |
echo "ID: ${{ env.AZURE_AD_id }}"
echo "MSG: ${{ env.AZURE_AD_msg }}"
echo "SECRET: ${{ env.AZURE_AD_secret }}"
echo "TTL_IN_MINUTES: ${{ env.AZURE_AD_ttl_in_minutes }}"