GitHub Action for secure secrets delivery to your workflow test environment using CyberArk Conjur.
Supports authenticating with CyberArk Conjur using host identity and JWT authentication.
on: [push]
jobs:
test:
# ...
steps:
# ...
- name: Import Secrets using CyberArk Conjur Secret Fetcher
uses: infamousjoeg/conjur-action@v2.0.2
with:
url: ${{ secrets.CONJUR_URL }}
account: cyberarkdemo
host_id: ${{ secrets.CONJUR_USERNAME }}
api_key: ${{ secrets.CONJUR_API_KEY }}
secrets: db/sqlusername|sql_username;db/sql_password
# ...url- this is the path to your Conjur instance endpoint. e.g.https://conjur.cyberark.com:8443account- this is the account configured for the Conjur instance during deployment.host_id- this is the Host ID granted to your application by Conjur when created via policy. e.g.host/db/github_actionapi_key- this is the API key associated with your Host ID declared previously.secrets- a semi-colon delimited list of secrets to fetch. Refer to Secrets Syntax in the README below for more details.
certificate- if using a self-signed certificate, provide the contents for validated SSL.
authn_id- this is the ID of Authn-JWT at Conjur
on: [push]
jobs:
test:
# ...
permissions:
id-token: 'write'
contents: 'read'
steps:
# ...
- name: Import Secrets using CyberArk Conjur Secret Fetcher
uses: infamousjoeg/conjur-action@v2.0.2
with:
url: ${{ secrets.CONJUR_URL }}
account: cyberarkdemo
authn_id: ${{ secrets.CONJUR_AUTHN_ID }}
secrets: db/sqlusername|sql_username;db/sql_password
# ...JWT Authenticator is required at Conjur server. You may wish to refer to official doc
The sample policy below validates GitHub repository & workflow
- Sample authenticator policy
- Sample app id policy
- Sample secret values and commands:
conjur policy load -f ./policy/github-authn-jwt.yml -b root
conjur policy load -f ./policy/github-app-id.yml -b root
conjur variable set -i conjur/authn-jwt/github/issuer -v "https://token.actions.githubusercontent.com"
conjur variable set -i conjur/authn-jwt/github/jwks-uri -v "https://token.actions.githubusercontent.com/.well-known/jwks"
conjur variable set -i conjur/authn-jwt/github/token-app-property -v "workflow"
conjur variable set -i conjur/authn-jwt/github/enforced-claims -v "workflow,repository"
conjur variable set -i conjur/authn-jwt/github/identity-path -v "/github-apps"
url- this is the path to your Conjur instance endpoint. e.g.https://conjur.cyberark.com:8443account- this is the account configured for the Conjur instance during deployment.authn_id- this is the ID of Authn-JWT at Conjursecrets- a semi-colon delimited list of secrets to fetch. Refer to Secrets Syntax in the README below for more details.
certificate- if using a self-signed certificate, provide the contents for validated SSL.
host_id- this is the Host ID granted to your application by Conjur when created via policy. e.g.host/db/github_actionapi_key- this is the API key associated with your Host ID declared previously.
{{ conjurVariable1|envVarName1;conjurVariable2 }}
The secrets argument is a semi-colon (;) delimited list of secrets. Spaces are NOT SUPPORTED. The list can optionally contain the name to set for the environment variable.
db/sqlusername|sql_username;db/sql_password
In the above example, the first secret section is db/sqlusername|sql_username. The | separates the Conjur Variable ID from the environment variable that will contain the value of the Conjur Variable's value.
The second secret section is db/sql_password. When no name is given for the environment variable, the Conjur Variable Name will be used. In this example, the value would be set to SQL_PASSWORD as the environment variable name.
It is recommended to set the URL, Host ID, and API Key values for the Action to function as secrets by going to Settings > Secrets in your GitHub repository and adding them there. These can then be called in your workflows' YAML file as a variable: ${{ secrets.SECRETNAME }}
The CyberArk Conjur Secret Fetcher GitHub Action utilizes masking prior to setting secret values to the environment. This prevents output to the console and to logs.
Joe Garcia - @infamousjoeg
Quincy Cheng - @quincycheng
