Secret Vault Action Documentation & Configuration Generator

Security Notice: Always use GitHub secrets ${{ secrets.SECRET_NAME }} for sensitive values. Never use plain text for tokens, usernames, or passwords.

Secret Vault Action

This GitHub Action allows you to fetch secrets from an Entrust KeyControl Secret Vault and make them available in your GitHub Actions workflow.

Security Best Practice: Always store sensitive values like API tokens, usernames, and passwords in GitHub Secrets and reference them using ${{ secrets.SECRET_NAME }} syntax.

Authentication Methods
Usage Parameters
Action Workflow
Secret Format
Access Patterns
Examples
Best Practices
File Cleanup
Additional Resources

Create Your Configuration

Use our interactive generator to create a custom configuration for your workflow.

Authentication Methods

Username/Password Authentication

Exchanges credentials for a temporary access token and authentication is performed for each run.

Example Input:

auth_type: 'userpass'
username: ${{ secrets.VAULT_USERNAME }}
password: ${{ secrets.VAULT_PASSWORD }}

Token Authentication

Uses a pre-generated API token for direct authentication. This is simpler but requires token management.

Example Input:

auth_type: 'token'
api_token: ${{ secrets.VAULT_TOKEN }}

Input Parameters

Name	Description	Required	Default
`base_url`	Base URL of your vault service	Yes
`auth_type`	Authentication type (token, userpass)	No	token
`username`	Username for authentication	If `auth_type` is `userpass`
`password`	Password for authentication	If `auth_type` is `userpass`
`api_token`	Vault Auth Token	If `auth_type` is `token`
`vault_uid`	Unique identifier for the vault	If `auth_type` is `userpass`
`ca_cert`	Base64-encoded CA certificate for self-signed certificates	No
`secrets`	Multi-line list of secrets to retrieve	Yes

Action Workflow

Authentication

Action authenticates with the vault using specified credentials
Obtains access token if using username/password method
Uses the token for subsequent API calls
Validates the CA certificate if provided

Secret Retrieval and Output

Makes authenticated API calls to retrieve each requested secret
Sets values as workflow environment variables
Makes values available as action outputs

Security Controls

All secret values marked as sensitive (masked in logs)
Temporary tokens handled securely
Certificate validation for secure API communication

Secret Format

Secrets are specified in the format: BoxName.SecretName | ENV_VAR_NAME;

Multiple secrets can be specified, separated by semicolons.

You can use BoxID and SecretID in place of BoxName and SecretName, if required.

Access Patterns for Secrets

Direct Environment Variables

Available in all subsequent steps.
Used like: $AWS_ACCESS_KEY_ID in shell commands.

Action Outputs

Referenced via: ${{ steps.fetch-secrets.outputs.SECRET_NAME }}
Useful in expressions or when exact variable name is important.

File Creation Using Outputs

Users can create files from the action's outputs if needed.

- name: Create secrets file
  run: |
    touch secrets.json
    echo '${{ toJson(steps.fetch-secrets.outputs) }}' >> secrets.json

Example Workflow

name: Deploy Application

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Fetch secrets from vault
        id: fetch-secrets
        uses: EntrustCorporation/secrets-vault-action@v1
        with:
          base_url: ${{ secrets.VAULT_URL }}
          auth_type: 'userpass'
          username: ${{ secrets.VAULT_USERNAME }}
          password: ${{ secrets.VAULT_PASSWORD }}
          vault_uid: ${{ secrets.VAULT_UID }}
          secrets: |
            Box1.apiKey | API_KEY;
            Box2.dbPass | DB_PASSWORD;

      - name: Use secrets
        run: |
          echo "Using API_KEY: ${{ steps.fetch-secrets.outputs.API_KEY }}"
          echo "Using DB_PASSWORD: ${DB_PASSWORD}"

Comprehensive Example

name: Deploy Application

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Fetch secrets from vault
        id: fetch-secrets
        uses: EntrustCorporation/secrets-vault-action@v1
        with:
          base_url: ${{ secrets.VAULT_URL }}
          auth_type: 'userpass'
          username: ${{ secrets.VAULT_USERNAME }}
          password: ${{ secrets.VAULT_PASSWORD }}
          vault_uid: ${{ secrets.VAULT_UID }}
          secrets: |
            Box1.accessKey | AWS_ACCESS_KEY_ID;
            Box1.secretKey | AWS_SECRET_ACCESS_KEY;
            Box2.privateKey | SSH_KEY;
            Box1.sslCert | SSL_CERT;

      - name: Create SSH directory and key
        run: |
          mkdir -p -m 700 ./ssh
          echo "$SSH_KEY" > ./ssh/id_rsa
          chmod 600 ./ssh/id_rsa

      # Use secrets in subsequent steps
      - name: Configure AWS CLI
        run: |
          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY

Best Practices for Handling Secrets

Restrict File Permissions: If you write secrets into files, set strict permissions (e.g. chmod 600)
Avoid Unnecessary File Creation: Only create files from secrets if absolutely necessary
Secure Cleanup: Always delete sensitive files after use with shred or rm
Mask Sensitive Data: Ensure secrets are masked in logs using GitHub's secret masking

File Secret Handling Example

# Create secure file with appropriate permissions
mkdir -p -m 700 ./temp_dir
echo "$SECRET" | base64 --decode > ./temp_dir/secret_file
chmod 600 ./temp_dir/secret_file

# Clean up securely when done
shred -u ./temp_dir/secret_file || rm -f ./temp_dir/secret_file

File Cleanup Best Practices

When working with sensitive data from secrets, always ensure proper cleanup:

Secure File Deletion

Use shred when available to securely overwrite files before deletion:

# Linux secure file deletion
if command -v shred &> /dev/null; then
  shred -uzf ./path/to/secret_file
else
  rm -f ./path/to/secret_file
fi

Temporary Directories

Create and clean up temporary directories in a secure manner:

# Create a temporary directory with secure permissions
TEMP_DIR=$(mktemp -d)
chmod 700 $TEMP_DIR

# Work with your secrets
echo "$SECRET_DATA" > $TEMP_DIR/config.json
chmod 600 $TEMP_DIR/config.json

# Use the secrets for your application
your_application --config $TEMP_DIR/config.json

# Clean up when done
find $TEMP_DIR -type f -exec shred -uzf {} \; 2>/dev/null || find $TEMP_DIR -type f -exec rm -f {} \;
rm -rf $TEMP_DIR

GitHub Actions Workflows

For GitHub Actions, consider using a dedicated cleanup step that runs even if previous steps fail:

- name: Application deployment
  id: deploy
  run: |
    mkdir -p -m 700 ./config
    echo "${{ steps.fetch-secrets.outputs.API_KEY }}" > ./config/credentials
    chmod 600 ./config/credentials
    ./deploy.sh --config ./config/credentials
  
- name: Cleanup sensitive files
  if: always()
  run: |
    if [ -d "./config" ]; then
      find ./config -type f -exec shred -uzf {} \; 2>/dev/null || find ./config -type f -exec rm -f {} \;
      rm -rf ./config
    fi

Additional Resources

Official GitHub Repository Source code and detailed technical documentation
GitHub Secrets Documentation Learn how to properly manage GitHub secrets for workflows
GitHub Actions Documentation Complete guide to GitHub Actions workflows
Entrust KeyControl Learn more about Entrust KeyControl solutions

Need a custom configuration?

Use our interactive configuration generator to create a tailored YAML configuration for your specific workflow needs.

Basic Configuration

Step ID:

Base URL Input Type:

Base URL (from GitHub Secret):

Authentication Type:

Username/Password Authentication

Username:

Password:

Vault UID:

Advanced Options

CA Certificate Type:

Skip TLS Verification:

Continue on Error:

Secrets

Specify the secrets to retrieve from the vault.

Box Name/ID:

Secret Name/ID:

Environment Variable:

Secret Vault Action Documentation & Configuration Generator