From a02ee663cc57c18a3ffd9a03730f9177a467bd87 Mon Sep 17 00:00:00 2001 From: Eddy Filip Date: Thu, 20 Apr 2023 18:50:07 +0200 Subject: [PATCH 1/4] Add documentation for service accounts --- README.md | 178 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 173 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 23bbb85..b59db7b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Load Secrets from 1Password - GitHub Action -This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/). +This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/) or a Service Account[BETA]. Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps. @@ -21,6 +21,10 @@ You can configure the action to use your 1Password Connect instance. If you provide `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` variables, the Connect instance will be used to load secrets. Make sure [1Password Connect](https://support.1password.com/secrets-automation/#step-2-deploy-a-1password-connect-server) is deployed in your infrastructure. +If you provide `OP_SERVICE_ACCOUNT_TOKEN` variable, the service account will be used to load secrets. + +**_Note_**: If all environment variables have been set, the Connect credentials will take precedence over the provided service account token. You must unset the Connect environment variables to ensure the action uses the service account token. + There are two ways that secrets can be loaded: - [use the secrets from the action's ouput](#use-secrets-from-the-actions-output) @@ -53,6 +57,33 @@ jobs: # Prints: Secret: *** ``` +
+Usage example with Service AccountsBETA + +```yml +on: push +jobs: + hello-world: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Load secret + id: op-load-secret + uses: 1password/load-secrets-action@v1 + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + SECRET: op://app-cicd/hello-world/secret + + - name: Print masked secret + run: echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}" + # Prints: Secret: *** +``` + +
+
Longer usage example @@ -99,10 +130,79 @@ jobs:
+
+Longer usage example with Service AccountsBETA + +```yml +on: push +name: Deploy app + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Configure 1Password Connect + uses: 1password/load-secrets-action/configure@v1 + with: + # Persist the 1Password Service Account token. Keep in mind that + # every single step in the job will be able to access the token. + service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + + - name: Load Docker credentials + id: load-docker-credentials + uses: 1password/load-secrets-action@v1 + with: + export-env: false + env: + DOCKERHUB_USERNAME: op://app-cicd/docker/username + DOCKERHUB_TOKEN: op://app-cicd/docker/token + + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }} + password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }} + + - name: Build and push Docker image + uses: docker/build-push-action@v2 + with: + push: true + tags: acme/app:latest +``` + +
+ ### Export secrets as environment variables This method, allows the action to access the loaded secrets as environment variables. These environment variables are accessible at a job level. +```yml +on: push +jobs: + hello-world: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Load secret + uses: 1password/load-secrets-action@v1 + with: + # Export loaded secrets as environment variables + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + SECRET: op://app-cicd/hello-world/secret + + - name: Print masked secret + run: echo "Secret: $SECRET" + # Prints: Secret: *** +``` + +
+Usage example with Service AccountsBETA + ```yml on: push jobs: @@ -126,6 +226,8 @@ jobs: # Prints: Secret: *** ``` +
+
Longer usage example @@ -192,6 +294,69 @@ jobs:
+
+Longer usage example with Service AccountsBETA + +```yml +on: push +name: Deploy app + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Configure 1Password Connect + uses: 1password/load-secrets-action/configure@v1 + with: + # Persist the 1Password Service Account token. Keep in mind that + # every single step in the job will be able to access the token. + service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + + - name: Load Docker credentials + uses: 1password/load-secrets-action@v1 + with: + # Export loaded secrets as environment variables + export-env: true + env: + DOCKERHUB_USERNAME: op://app-cicd/docker/username + DOCKERHUB_TOKEN: op://app-cicd/docker/token + + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ env.DOCKERHUB_USERNAME }} + password: ${{ env.DOCKERHUB_TOKEN }} + + - name: Print environment variables with masked secrets + run: printenv + + - name: Build and push Docker image + uses: docker/build-push-action@v2 + with: + push: true + tags: acme/app:latest + + - name: Load AWS credentials + uses: 1password/load-secrets-action@v1 + with: + # Export loaded secrets as environment variables + export-env: true + # Remove local copies of the Docker credentials, which are not needed anymore + unset-previous: true + env: + AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id + AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key + + - name: Deploy app + # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was + # done automatically by the step above + run: ./deploy.sh +``` + +
+ ## Action Inputs | Name | Default | Description | @@ -224,6 +389,8 @@ So if one of these values accidentally gets printed, it'll get replaced with `** To use the action with Connect, you need to have a [1Password Connect](https://support.1password.com/secrets-automation/#step-1-set-up-a-secrets-automation-workflow) instance deployed somewhere. To configure the action with your Connect host and token, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables. +To configure the action with your service account token BETA, set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable. + If you're using the `load-secrets` action more than once in a single job, you can use the `configure` action to avoid duplicate configuration: ```yml @@ -247,10 +414,11 @@ jobs: ### `configure` Action Inputs -| Name | Environment variable | Description | -| --------------- | -------------------- | -------------------------------------------------------- | -| `connect-host` | `OP_CONNECT_HOST` | Your 1Password Connect instance URL | -| `connect-token` | `OP_CONNECT_TOKEN` | Token to authenticate to your 1Password Connect instance | +| Name | Environment variable | Description | +| ----------------------- | -------------------------- | -------------------------------------------------------- | +| `connect-host` | `OP_CONNECT_HOST` | Your 1Password Connect instance URL | +| `connect-token` | `OP_CONNECT_TOKEN` | Token to authenticate to your 1Password Connect instance | +| `service-account-token` | `OP_SERVICE_ACCOUNT_TOKEN` | Your 1Password service account token | ## Supported Runners From 9c1afd6054a1f8333cbd926ac34ee49aebf436d6 Mon Sep 17 00:00:00 2001 From: Eddy Filip Date: Thu, 20 Apr 2023 18:53:49 +0200 Subject: [PATCH 2/4] Adjust action versions used in examples In this way we keep them relevant with the latest versions --- README.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index b59db7b..f3d03a3 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Load secret id: op-load-secret @@ -66,7 +66,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Load secret id: op-load-secret @@ -95,7 +95,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v1 @@ -116,13 +116,13 @@ jobs: DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }} password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: push: true tags: acme/app:latest @@ -141,7 +141,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v1 @@ -160,13 +160,13 @@ jobs: DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }} password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: push: true tags: acme/app:latest @@ -184,7 +184,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Load secret uses: 1password/load-secrets-action@v1 @@ -209,7 +209,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Load secret uses: 1password/load-secrets-action@v1 @@ -239,7 +239,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v1 @@ -260,7 +260,7 @@ jobs: DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ env.DOCKERHUB_TOKEN }} @@ -269,7 +269,7 @@ jobs: run: printenv - name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: push: true tags: acme/app:latest @@ -305,7 +305,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v1 @@ -324,7 +324,7 @@ jobs: DOCKERHUB_TOKEN: op://app-cicd/docker/token - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ env.DOCKERHUB_USERNAME }} password: ${{ env.DOCKERHUB_TOKEN }} @@ -333,7 +333,7 @@ jobs: run: printenv - name: Build and push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v3 with: push: true tags: acme/app:latest @@ -399,7 +399,7 @@ jobs: hello-world: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v1 From f4a99d45989a04dec415d6c1a126c7d0d030f2e3 Mon Sep 17 00:00:00 2001 From: Eddy Filip Date: Thu, 20 Apr 2023 20:50:59 +0200 Subject: [PATCH 3/4] Make small edits --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index f3d03a3..338f824 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Load Secrets from 1Password - GitHub Action -This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://1password.com/secrets/) or a Service Account[BETA]. +This action loads secrets from 1Password into GitHub Actions using [1Password Connect](https://developer.1password.com/docs/connect) or a [Service Account [BETA]](https://developer.1password.com/docs/service-accounts). Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps. @@ -58,7 +58,7 @@ jobs: ```
-Usage example with Service AccountsBETA +Usage example with Service Accounts BETA ```yml on: push @@ -131,7 +131,7 @@ jobs:
-Longer usage example with Service AccountsBETA +Longer usage example with Service Accounts BETA ```yml on: push @@ -201,7 +201,7 @@ jobs: ```
-Usage example with Service AccountsBETA +Usage example with Service Accounts BETA ```yml on: push @@ -295,7 +295,7 @@ jobs:
-Longer usage example with Service AccountsBETA +Longer usage example with Service Accounts BETA ```yml on: push @@ -428,9 +428,9 @@ You can run the action on Linux and macOS runners. Windows is currently not supp 1Password requests you practice responsible disclosure if you discover a vulnerability. -Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits). +Please file requests through [BugCrowd](https://bugcrowd.com/agilebits). -For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits). +For information about our security practices, visit the [1Password Security homepage](https://1password.com/security). ## Getting help From f4303b27ca64e37e2d2d8c0d26e783b4909f8a7a Mon Sep 17 00:00:00 2001 From: Eddy Filip Date: Mon, 24 Apr 2023 11:17:52 +0200 Subject: [PATCH 4/4] Improve wording --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 338f824..2eb8354 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ jobs: with: # Persist the 1Password Connect URL for next steps. You can also persist # the Connect token using input `connect-token`, but keep in mind that - # every single step in the job would then be able to access the token. + # this will grant all steps of the job access to the token. connect-host: https://1password.acme.com - name: Load Docker credentials @@ -146,8 +146,8 @@ jobs: - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v1 with: - # Persist the 1Password Service Account token. Keep in mind that - # every single step in the job will be able to access the token. + # Persist the 1Password Service Account token. This will grant + # all steps of the job access to the token. service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Load Docker credentials @@ -246,7 +246,7 @@ jobs: with: # Persist the 1Password Connect URL for next steps. You can also persist # the Connect token using input `connect-token`, but keep in mind that - # every single step in the job would then be able to access the token. + # this will grant all steps of the job access to the token. connect-host: https://1password.acme.com - name: Load Docker credentials @@ -279,7 +279,7 @@ jobs: with: # Export loaded secrets as environment variables export-env: true - # Remove local copies of the Docker credentials, which are not needed anymore + # Remove local copies of the Docker credentials, which aren't needed anymore unset-previous: true env: OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} @@ -287,8 +287,8 @@ jobs: AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key - name: Deploy app - # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was - # done automatically by the step above + # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set. + # This happened using secret references in the preceding lines. run: ./deploy.sh ``` @@ -310,8 +310,8 @@ jobs: - name: Configure 1Password Connect uses: 1password/load-secrets-action/configure@v1 with: - # Persist the 1Password Service Account token. Keep in mind that - # every single step in the job will be able to access the token. + # Persist the 1Password Service Account token. This will grant + # all steps of the job access to the token. service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Load Docker credentials @@ -343,15 +343,15 @@ jobs: with: # Export loaded secrets as environment variables export-env: true - # Remove local copies of the Docker credentials, which are not needed anymore + # Remove local copies of the Docker credentials, which aren't needed anymore unset-previous: true env: AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key - name: Deploy app - # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was - # done automatically by the step above + # This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set. + # This happened using secret references in the preceding lines. run: ./deploy.sh ```