How to Read Secrets From AWS Secrets Manager in a Workflow in GitHub Actions
Authenticate with OIDC, then aws-actions/aws-secretsmanager-get-secrets fetches secrets at run time and exports them as masked environment variables.
Assume a role via OIDC, then run aws-actions/aws-secretsmanager-get-secrets with the secret IDs. It masks the values and writes them to the job environment.
Steps
- Assume an AWS role with OIDC (no static keys).
- List secret IDs in
aws-actions/aws-secretsmanager-get-secrets. - Use the exported, masked env vars in later steps.
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
jobs:
app:
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/gha
aws-region: us-east-1
- uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
prod/db
- run: ./migrate.sh # PROD_DB_* now in env, maskedGotchas
- JSON secrets are split into one env var per key; control names with
parse-json-secrets. - The values are masked but still live in the runner process environment for the job.
Related guides
How to Fetch Secrets From HashiCorp Vault With OIDC in GitHub ActionsRead secrets from HashiCorp Vault in GitHub Actions using JWT auth and hashicorp/vault-action, trading the wo…
How to Store and Use an Encrypted Secret in GitHub ActionsAdd an encrypted repository secret in GitHub Actions and consume it safely by mapping it to an env var on the…