From cef3d813fd19ab1192f2ab5672b550a523e157a1 Mon Sep 17 00:00:00 2001 From: "Trez.One" Date: Thu, 2 Oct 2025 08:43:38 -0400 Subject: [PATCH] Additional inputs and tweaking jq formatting for env file. --- README.md | 43 +++++++++++++++++++++++++++++++++- action.yml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 action.yml diff --git a/README.md b/README.md index 9f951e4..066f989 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,43 @@ -# hc-vault-env +# Adapted from https://github.com/Simporter/get-env-file-from-vault +## Get env-file from Hashicorp Vault GitHub Action + +Simple action to get env file from HashiCorp Vault™. + +## Example Usage + +```yaml +jobs: + build: + # ... + steps: + # ... + - name: Get env file + uses: https://git.trez.wtf/Trez/hc-vault-env@main + with: + HC_VAULT_VERSION: "1.20.4" + HC_VAULT_ADDR: https://vault.mycompany.com:8200 + HC_VAULT_USERNAME: ${{ secrets.HC_VAULT_USERNAME }} + HC_VAULT_PASSWORD: ${{ secrets.HC_VAULT_PASSWORD }} + HC_VAULT_SECRETS_PATH: ${{ secrets.HC_VAULT_SECRETS_PATH }} + # ... +``` + +will get all the secrets from `kv` storage from `HC_VAULT_SECRETS_PATH` and put it in a `.env` + +## Authentication method + +Currently, only `userpass` login method is implemented. `HC_VAULT_USERNAME` and `HC_VAULT_PASSWORD` to authenticate with Vault. + +## Reference + +Here are all the inputs available through `with`: + +| Input | Description | Default | Required | +| ----------------------- | ---------------------------------------- | ------- | -------- | +| `HC_VAULT_VERSION` | Vault version | | ✔ | +| `HC_VAULT_ADDR` | Vault url | | ✔ | +| `HC_VAULT_USERNAME` | Vault login username for `userpass` auth | | ✔ | +| `HC_VAULT_PASSWORD` | Vault login password for `userpass` auth | | ✔ | +| `HC_VAULT_SECRETS_PATH` | Vault secrets path | | ✔ | +| `ENV_FILE_NAME` | Name of created env-file | .env | | diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..a5b02a7 --- /dev/null +++ b/action.yml @@ -0,0 +1,68 @@ +name: "Generate .env file from Hashicorp Vault" +description: "Get secrets from Vault and write to a .env file" + +branding: + icon: "lock" + color: "purple" + +inputs: + HC_VAULT_VERSION: + description: "Hashicorp Vault version" + required: true + + HC_VAULT_ADDR: + description: "Vault url" + required: true + + HC_VAULT_USERNAME: + description: "Vault login username" + required: false + + HC_VAULT_PASSWORD: + description: "Vault login password" + required: false + + HC_VAULT_SECRETS_PATH: + description: "Vault secrets path" + required: true + + ENV_FILE_NAME: + description: "Name of created env-file" + required: false + default: .env + +runs: + using: "composite" + steps: + - name: Install Hashicorp Vault + shell: bash + run: | + curl -S -O https://releases.hashicorp.com/vault/${{ inputs.HC_VAULT_VERSION }}/vault_${{ inputs.HC_VAULT_VERSION }}_linux_amd64.zip + unzip -u vault_${{ inputs.HC_VAULT_VERSION }}_linux_amd64.zip -d . + chmod +x vault + mv vault /usr/local/bin + + - name: Login to Hashicorp Vault with userpass + if: ${{ HC_VAULT_AUTH_METHOD == 'userpass' }} + shell: bash + env: + VAULT_ADDR: ${{ inputs.HC_VAULT_ADDR }} + VAULT_SKIP_VERIFY: "true" + run: | + vault login \ + -no-print \ + -method=userpass \ + username=${{ inputs.HC_VAULT_USERNAME }} \ + password=${{ inputs.HC_VAULT_PASSWORD }} + + - name: Create env-file from Hashicorp Vault config + shell: bash + env: + VAULT_TOKEN: ${{ inputs.HC_VAULT_TOKEN }} + VAULT_ADDR: ${{ inputs.HC_VAULT_ADDR }} + VAULT_SKIP_VERIFY: "true" + run: | + vault kv get -format=json ${{ inputs.HC_VAULT_SECRETS_PATH }} \ + | jq -r '.data.data' \ + | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env \ + > ${{ inputs.ENV_FILE_NAME }}