How to Load Azure Key Vault Secrets in GitHub Actions
azure/login with OIDC gets a token, then az keyvault secret show reads each secret so you can mask and export it.
Log in with azure/login using federated credentials (client-id, tenant-id, subscription-id), then read values with az keyvault secret show, mask them, and write them to $GITHUB_ENV.
Steps
- Add
permissions: id-token: writeand log in withazure/login(OIDC). - Run
az keyvault secret show --vault-name <vault> --name <secret>. - Mask the value with
::add-mask::and append it to$GITHUB_ENV. - Grant the federated identity a Key Vault access policy or RBAC role.
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- run: |
VALUE=$(az keyvault secret show --vault-name kv-prod \
--name db-password --query value -o tsv)
echo "::add-mask::$VALUE"
echo "DB_PASSWORD=$VALUE" >> "$GITHUB_ENV"Gotchas
- The app registration needs a
Getsecret permission (access policy) or the Key Vault Secrets User role. - Use
-o tsvso the value is raw text, not JSON-quoted.
Related guides
How to Pull HashiCorp Vault Secrets With vault-action in GitHub ActionsFetch secrets from HashiCorp Vault in a GitHub Actions job using hashicorp/vault-action, mapping KV v2 paths…
How to Authenticate to Azure via Federated OIDC Credentials in GitHub ActionsLog in to Azure from GitHub Actions with passwordless OIDC by registering a federated credential on an app re…