Skip to content
Latchkey

How to Read Secrets From AWS Secrets Manager in a Workflow in GitHub Actions

Authenticate with OIDC, then aws-actions/aws-secretsmanager-get-secrets fetches secrets at run time and exports them as masked environment variables.

Assume a role via OIDC, then run aws-actions/aws-secretsmanager-get-secrets with the secret IDs. It masks the values and writes them to the job environment.

Steps

  • Assume an AWS role with OIDC (no static keys).
  • List secret IDs in aws-actions/aws-secretsmanager-get-secrets.
  • Use the exported, masked env vars in later steps.

Workflow

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
jobs:
  app:
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/gha
          aws-region: us-east-1
      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
        with:
          secret-ids: |
            prod/db
      - run: ./migrate.sh   # PROD_DB_* now in env, masked

Gotchas

  • JSON secrets are split into one env var per key; control names with parse-json-secrets.
  • The values are masked but still live in the runner process environment for the job.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →