Securing Secrets using HashiCorp Vault

Why Centralized Secrets Matter
1. Reviewing GitHub Repository Secrets
2. Setting Up a Simple Vault‐Demo Workflow
3. Storing a Secret in HashiCorp Vault
4. Integrating Vault Secrets with GitHub Actions
5. Verifying the Pipeline
Further Reading & References

Managing secrets across multiple repositories can be error‐prone, inconsistent, and difficult to audit. By integrating HashiCorp Vault with GitHub Actions, you can centralize secret storage, enforce versioning, and keep your CI/CD pipelines secure.

Why Centralized Secrets Matter

GitHub supports two secret scopes:

Scope	Versioning	Management Overhead	Best Use Case
Repository-level	No	High (per repo)	Single-repo deployments
Environment-level	No	High (per env)	Environment-specific workflows
Vault Secrets (HCP)	Yes	Low (centralized)	Multi-repo CI/CD pipelines

1. Reviewing GitHub Repository Secrets

Most teams start by defining secrets directly in GitHub. You’ll find them at Settings → Secrets and variables → Actions.

The image shows a GitHub repository page with files and a README section titled "Exploring Actions." The repository has a main branch with no protection and includes files like .github/workflows, README.md, and ascii-script.sh.

The image shows the settings page of a GitHub repository, displaying options for general settings, default branch, and social preview. The interface is in dark mode with various configuration options visible on the left sidebar.

The image shows a GitHub repository settings page for managing secrets and variables, with a focus on repository secrets, including a "DOCKER_PASSWORD" entry.

Repository-level secrets are not versioned. Managing them individually across many repos can quickly become tedious and error-prone.

2. Setting Up a Simple Vault‐Demo Workflow

Create a workflow file at .github/workflows/vault-demo.yml:

The image shows a GitHub repository interface with a list of YAML workflow files under the ".github/workflows" directory. The files have various commit messages and timestamps.

name: Vault Demo
on:
  workflow_dispatch:
jobs:
  echo-vault-secret:
    runs-on: ubuntu-latest
    steps:
      - name: Check for AWS_API_KEY
        run: |
          if [[ -z "${{ secrets.AWS_API_KEY }}" ]]; then
            echo "Secret Not Found" && exit 1
          else
            echo "Secret Found" && exit 0
          fi

Running this before adding the secret returns:

Run if [[ -z "${{ secrets.AWS_API_KEY }}" ]]; then ...
Secret Not Found
Error: Process completed with exit code 1.

3. Storing a Secret in HashiCorp Vault

In the HCP dashboard, click Vault Secrets to open the managed secrets service:

The image shows a project dashboard from HashiCorp Cloud Platform, displaying various services like Boundary, Consul, Packer, Vault, and others, along with sections for active resources and billing summary.

Create an application (e.g., Secret App), then add a key AWS_API_KEY with your value:

The image shows a dashboard interface for HashiCorp Vault Secrets, welcoming a user and offering options to create an application and access resources like documentation and blog posts.

The image shows a web interface for managing secrets in HashiCorp Cloud, with options to add or import secrets. A notification at the top announces that Vault Secrets is now generally available.

4. Integrating Vault Secrets with GitHub Actions

In the Vault UI, go to Integrations → GitHub Actions, then authorize the GitHub App on your organization or account:

The image shows a web interface for integrating secret management tools, featuring options to add AWS Secrets Manager, GitHub Actions, and Vercel. It also includes documentation links for Terraform and Docker.

Select the repo(s) to sync and install:

The image shows a GitHub interface for selecting repositories to integrate with HCP Vault Secrets, with a list of repositories displayed in a dropdown menu.

After installation, Vault Secrets pushes AWS_API_KEY to your repo. Refresh Settings → Secrets and variables → Actions:

The image shows a GitHub repository settings page, specifically the "Secrets and variables" section, with two repository secrets listed: "AWS_API_KEY" and "DOCKER_PASSWORD."

5. Verifying the Pipeline

If you ran the workflow before syncing, you might still see a failed status. Rerun to pick up the new secret.

The image shows a GitHub Actions interface with a "Vault Demo" workflow that has been manually run, displaying a failed status.

Once synced, triggering Vault Demo again outputs:

Run if [[ -z "***" ]]; then ...
Secret Found

Watch Video

Mitigating Script Injection Attack

Adding a workflow status badge

⌘I

Introduction

Reusable Workflows and Reporting

Custom Actions

Self Hosted Runner

Security Guide

Continuous Deployment with Git Hub Actions

Continuous Integration with Git Hub Actions

Git Hub Actions Core Concepts

Securing Secrets using HashiCorp Vault

Why Centralized Secrets Matter

1. Reviewing GitHub Repository Secrets

2. Setting Up a Simple Vault‐Demo Workflow

3. Storing a Secret in HashiCorp Vault

4. Integrating Vault Secrets with GitHub Actions

5. Verifying the Pipeline

Further Reading & References

Watch Video

Introduction

Reusable Workflows and Reporting

Custom Actions

Self Hosted Runner

Security Guide

Continuous Deployment with Git Hub Actions

Continuous Integration with Git Hub Actions

Git Hub Actions Core Concepts

​Why Centralized Secrets Matter

​1. Reviewing GitHub Repository Secrets

​2. Setting Up a Simple Vault‐Demo Workflow

​3. Storing a Secret in HashiCorp Vault

​4. Integrating Vault Secrets with GitHub Actions

​5. Verifying the Pipeline

​Further Reading & References

Watch Video

Why Centralized Secrets Matter

1. Reviewing GitHub Repository Secrets

2. Setting Up a Simple Vault‐Demo Workflow

3. Storing a Secret in HashiCorp Vault

4. Integrating Vault Secrets with GitHub Actions

5. Verifying the Pipeline

Further Reading & References