Securing Secrets using HashiCorp Vault

Managing secrets across multiple repositories can be error‐prone, inconsistent, and difficult to audit. By integrating HashiCorp Vault with GitHub Actions, you can centralize secret storage, enforce versioning, and keep your CI/CD pipelines secure.

Why Centralized Secrets Matter

GitHub supports two secret scopes:

Scope	Versioning	Management Overhead	Best Use Case
Repository-level	No	High (per repo)	Single-repo deployments
Environment-level	No	High (per env)	Environment-specific workflows
Vault Secrets (HCP)	Yes	Low (centralized)	Multi-repo CI/CD pipelines

1. Reviewing GitHub Repository Secrets

Most teams start by defining secrets directly in GitHub. You’ll find them at Settings → Secrets and variables → Actions.

The image shows a GitHub repository page with files and a README section titled "Exploring Actions." The repository has a main branch with no protection and includes files like `.github/workflows`, `README.md`, and `ascii-script.sh`.

The image shows the settings page of a GitHub repository, displaying options for general settings, default branch, and social preview. The interface is in dark mode with various configuration options visible on the left sidebar.

The image shows a GitHub repository settings page for managing secrets and variables, with a focus on repository secrets, including a "DOCKER_PASSWORD" entry.

Note

Repository-level secrets are not versioned. Managing them individually across many repos can quickly become tedious and error-prone.

2. Setting Up a Simple Vault‐Demo Workflow

Create a workflow file at .github/workflows/vault-demo.yml:

The image shows a GitHub repository interface with a list of YAML workflow files under the ".github/workflows" directory. The files have various commit messages and timestamps.

name: Vault Demo
on:
  workflow_dispatch:
jobs:
  echo-vault-secret:
    runs-on: ubuntu-latest
    steps:
      - name: Check for AWS_API_KEY
        run: |
          if [[ -z "${{ secrets.AWS_API_KEY }}" ]]; then
            echo "Secret Not Found" && exit 1
          else
            echo "Secret Found" && exit 0
          fi

Running this before adding the secret returns:

Run if [[ -z "${{ secrets.AWS_API_KEY }}" ]]; then ...
Secret Not Found
Error: Process completed with exit code 1.

3. Storing a Secret in HashiCorp Vault

Sign in to the HashiCorp Cloud Platform and select Vault:
In the HCP dashboard, click Vault Secrets to open the managed secrets service:
Create an application (e.g., Secret App), then add a key AWS_API_KEY with your value:

4. Integrating Vault Secrets with GitHub Actions

In the Vault UI, go to Integrations → GitHub Actions, then authorize the GitHub App on your organization or account:
Select the repo(s) to sync and install:
After installation, Vault Secrets pushes AWS_API_KEY to your repo. Refresh Settings → Secrets and variables → Actions:

5. Verifying the Pipeline

Note

If you ran the workflow before syncing, you might still see a failed status. Rerun to pick up the new secret.

The image shows a GitHub Actions interface with a "Vault Demo" workflow that has been manually run, displaying a failed status.

Once synced, triggering Vault Demo again outputs:

Run if [[ -z "***" ]]; then ...
Secret Found

Watch Video