If you are following me, I have published two articles before, about CI/CD with GitHub Actions to deploy Application to Azure App Service and CI/CD with GitHub Actions to deploy Application to Azure Kubernetes Cluster.
In both the articles I gave the example of keeping secrets in GitHub Environments but what if you want to store your secrets in Azure Key Vaults which has the advantage over Github secrets. Like, You can verify the secrets value in azure key vault and can be upgraded programmatically too to new version if needed and also you can control the access permission based on need.
So here is the example to prepare your appsettings.production.js or other config files by reading secrets from Azure Key Vaults. Follow the steps here to do so:
- First thing we would need is, Connectivity to Azure so that pipeline can do the azure login and for this purpose I suggest always to use service principal instead of user id & password. This is the only settings which you need to store as part of GitHub Secrets so that using this you can do the Azure login.
Here is command to generate the service principal .
az ad sp create-for-rbac --name "{your_serviceprincipal_name}" --scope /subscriptions/{subscription_id}/resourceGroups/{resourceGroupName} --role Contributor --sdk-authNote: I’m creating service principal with contributor role at resource group level for my need, but I would recommend the role to be downgraded for access based on your need.
2. Next we need to provide the access to above created service principal for accessing the secrets from key vault and for this please login to the azure portal and navigate to your Key Vault => Access policies and click on +Create.
From the Permission tab: select Get, List, Decrypt of Key Permissions and Get, List of Secret Permissions and Certificate Permissions.
From the Principal tab: search your service principal and select.
3. Set up is done, now do the code in Github action to read the secrets from Azure Key Vault.
steps:
- uses: actions/checkout@v2 - uses: Azure/login@v1
with:
creds: ${{ secrets.YourServicePrincipal }} - uses: Azure/get-keyvault-secrets@v1
with:
keyvault: "{Your_KeyVaultName}"
secrets: 'CONNECTIONSTRING'
id: azKeyVaultSecretAction - name: Replace token for appsettings.Production.json
uses: cschleiden/replace-tokens@v1.1
with:
files: '["src/MyDemoApp/appsettings.Production.json"]'
env:
ConnectionString: ${{ steps.azKeyVaultSecretAction.outputs.CONNECTIONSTRING }}
From the above code,
a. first we are doing code checkout for the code repository,
b. Logging in to the Azure and ‘YourServicePrincipa’ is the secrets stored on GitHub environment which you created from 1st step here. ,
c. Reading secret ‘CONNECTIONSTRING’ from Azure Key Vault. and finally
d. Using the secrets ‘ConnectionString’ to replace in appsettings.Production.json.
Note: In case of multiple secrets reading, please mention all your secrets name with comma separated i.e.
secrets: 'CONNECTIONSTRING, OTHERSECRETS1, OTHERSECRETS2'and We are done! Please refer my previously published articles for complete end-to-end GitHub actions.
Hope you enjoyed the content, follow me for more like this and please don’t forget to like/comment for it. Happy programming.
No comments:
Post a Comment