From fb259b9597ce025474ab2eef6ce51cd3ebd6d8d3 Mon Sep 17 00:00:00 2001 From: Floris van der Grinten Date: Tue, 25 May 2021 15:50:12 +0200 Subject: [PATCH 1/6] Create README --- README.md | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 122 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8494fbd..7845343 100644 --- a/README.md +++ b/README.md @@ -1 +1,122 @@ -# env-export-action +# Load Secrets from 1Password - GitHub Action + +The action to load secrets from 1Password Connect into GitHub Actions. + +Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps. + +Just like regular GitHub repository secrets, every secret from 1Password will automatically be masked from the GitHub Actions logs too. +So if they accidentally get printed, they'll get replaced with `***`. + +## Usage + +```yml +on: push +jobs: + hello-world: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Load secret + uses: 1password/load-secrets-action@v1 + env: + OP_CONNECT_HOST: + OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} + SECRET: op://app-cicd/hello-world/secret + - name: Print masked secret + run: echo "Secret: $SECRET" + # Prints: Secret: *** +``` +
+Longer usage example + +```yml +on: push +name: Deploy app + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Configure 1Password Connect + uses: 1password/load-secrets-action/configure@v1 + with: + # Persist the 1Password Connect URL for next steps. You can also persist + # the Connect token using input `connect-token`, but keep in mind that + # every single step in the job would then be able to access the token. + connect-host: https://1password.acme.com + + - name: Load Docker credentials + uses: 1password/load-secrets-action@v1 + env: + OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} + DOCKERHUB_USERNAME: op://app-cicd/docker/username + DOCKERHUB_TOKEN: op://app-cicd/docker/token + + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ env.DOCKERHUB_USERNAME }} + password: ${{ env.DOCKERHUB_TOKEN }} + + - name: Print environment variables with masked secrets + run: printenv + + - name: Build and push Docker image + uses: docker/build-push-action@v2 + with: + push: true + tags: acme/app:latest + + - name: Load AWS credentials + uses: 1password/load-secrets-action@v1 + with: + # Remove local copies of the Docker credentials, which are not needed anymore + unset-previous: true + env: + OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} + AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id + AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key + + - name: Deploy app + # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was + # done automatically by the step above + run: ./deploy.sh +``` +
+ +## 1Password Connect + +To use the action, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere. +To configure the action with your Connect URL and a Connect token, you can set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables. + +If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration. +Expand the usage snippet above to see an example of this. + +## Secrets Reference Syntax + +To specify which secret should be loaded into which environment variable, the action will look for `op://` reference URIs in environment variables, and replace those with the actual secret values. + +These reference URIs have the following syntax: + +> `op:///[/
]/` + +So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be interpreted as: + * **Vault:** `app-cicd` + * **Item:** `aws` + * **Section:** default section + * **Field:** `secret-access-key` + +## Action Inputs + +| Name | Default | Description | +|---|---|---| +| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps | + +### Inputs for the `configure` action + +| Name | Default | Environment variable | Description | +|---|---|---|---| +| `connect-host` | | `OP_CONNECT_HOST` | Your 1Password Connect instance URL | +| `connect-token` | | `OP_CONNECT_TOKEN` | Token to authenticate to your 1Password Connect instance | From d5609bd236e164620e5d95553200193c432b811c Mon Sep 17 00:00:00 2001 From: Floris van der Grinten Date: Thu, 27 May 2021 10:33:48 +0200 Subject: [PATCH 2/6] Link to secrets homepage Co-authored-by: David Gunter --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7845343..7872ed0 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Load Secrets from 1Password - GitHub Action -The action to load secrets from 1Password Connect into GitHub Actions. +The action to load secrets from [1Password Connect](https://1password.com/secrets/) into GitHub Actions. Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps. From 08f33d084aaeffca3a6d3334047bb62440c02802 Mon Sep 17 00:00:00 2001 From: Floris van der Grinten Date: Thu, 27 May 2021 14:31:02 +0200 Subject: [PATCH 3/6] Add note on supported runner platforms --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 7872ed0..0caec93 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,10 @@ So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be * **Section:** default section * **Field:** `secret-access-key` +## Supported Runners + +You can run the action on Linux and macOS runners. Windows is currently not supported. + ## Action Inputs | Name | Default | Description | From 8df8b2ac7d1c88461fa4b28740d56cd9fe5db2cb Mon Sep 17 00:00:00 2001 From: Floris van der Grinten Date: Thu, 27 May 2021 14:45:33 +0200 Subject: [PATCH 4/6] Move note on masking into separate section --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0caec93..fc3574c 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,6 @@ The action to load secrets from [1Password Connect](https://1password.com/secret Specify right from your workflow YAML which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps. -Just like regular GitHub repository secrets, every secret from 1Password will automatically be masked from the GitHub Actions logs too. -So if they accidentally get printed, they'll get replaced with `***`. - ## Usage ```yml @@ -108,6 +105,13 @@ So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be * **Section:** default section * **Field:** `secret-access-key` +## Masking + +Just like regular GitHub repository secrets, secrets loaded from 1Password will automatically be masked from the GitHub Actions logs too. +If they accidentally get printed, they'll get replaced with `***`. + +To avoid unnecessary masks (like a username field), masks are only applied on fields marked as concealed (which show as `•••••` in the 1Password GUI) and on secure notes. + ## Supported Runners You can run the action on Linux and macOS runners. Windows is currently not supported. From 115b2af805553c27f6f1b05d864c718d30fbc15b Mon Sep 17 00:00:00 2001 From: Floris van der Grinten Date: Thu, 27 May 2021 16:07:29 +0200 Subject: [PATCH 5/6] Put configure action in separate section with own usage snippet --- README.md | 47 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index fc3574c..1bd5fc4 100644 --- a/README.md +++ b/README.md @@ -13,12 +13,14 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + - name: Load secret uses: 1password/load-secrets-action@v1 env: OP_CONNECT_HOST: OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} SECRET: op://app-cicd/hello-world/secret + - name: Print masked secret run: echo "Secret: $SECRET" # Prints: Secret: *** @@ -83,13 +85,11 @@ jobs: ``` -## 1Password Connect +## Action Inputs -To use the action, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere. -To configure the action with your Connect URL and a Connect token, you can set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables. - -If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration. -Expand the usage snippet above to see an example of this. +| Name | Default | Description | +|---|---|---| +| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps | ## Secrets Reference Syntax @@ -112,19 +112,40 @@ If they accidentally get printed, they'll get replaced with `***`. To avoid unnecessary masks (like a username field), masks are only applied on fields marked as concealed (which show as `•••••` in the 1Password GUI) and on secure notes. -## Supported Runners +## 1Password Connect Configuration -You can run the action on Linux and macOS runners. Windows is currently not supported. +To use the action, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere. +To configure the action with your Connect URL and a Connect token, you can set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables. -## Action Inputs +If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration: -| Name | Default | Description | -|---|---|---| -| `unset-previous` | `false` | Whether to unset environment variables populated by 1Password in earlier job steps | +```yml +on: push +jobs: + hello-world: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 -### Inputs for the `configure` action + - name: Configure 1Password Connect + uses: 1password/load-secrets-action/configure@v1 + with: + connect-host: + connect-token: ${{ secrets.OP_CONNECT_TOKEN }} + + - name: Load secret + uses: 1password/load-secrets-action@v1 + env: + SECRET: op://app-cicd/hello-world/secret +``` + +### `configure` Action Inputs | Name | Default | Environment variable | Description | |---|---|---|---| | `connect-host` | | `OP_CONNECT_HOST` | Your 1Password Connect instance URL | | `connect-token` | | `OP_CONNECT_TOKEN` | Token to authenticate to your 1Password Connect instance | + +## Supported Runners + +You can run the action on Linux and macOS runners. Windows is currently not supported. From 78c1989e1fd755d9b43632c5d6eb8cae52b9cdcd Mon Sep 17 00:00:00 2001 From: Floris van der Grinten Date: Thu, 27 May 2021 19:01:56 +0200 Subject: [PATCH 6/6] Rephrase section about masking --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1bd5fc4..c3f18a4 100644 --- a/README.md +++ b/README.md @@ -107,10 +107,11 @@ So for example, the reference URI `op://app-cicd/aws/secret-access-key` would be ## Masking -Just like regular GitHub repository secrets, secrets loaded from 1Password will automatically be masked from the GitHub Actions logs too. -If they accidentally get printed, they'll get replaced with `***`. +Similar to regular GitHub repository secrets, secret fields from 1Password will automatically be masked from the GitHub Actions logs too. +A 1Password field is considered 'secret' when it's marked as concealed (which shows as `•••••••` in the 1Password GUI) or when it's a secure note. +So if one of these values accidentally gets printed, it'll get replaced with `***`. -To avoid unnecessary masks (like a username field), masks are only applied on fields marked as concealed (which show as `•••••` in the 1Password GUI) and on secure notes. +This means that a username or port field for example will not get masked. ## 1Password Connect Configuration