Cloud Provider Native Secrets Management
Cloud Provider Native Secrets Management
Major cloud providers offer native secrets management services that integrate seamlessly with their platforms. AWS Secrets Manager, Azure Key Vault, and Google Secret Manager provide managed solutions with built-in high availability, encryption, and audit logging. These services excel for cloud-native applications but may create vendor lock-in.
# GitHub Actions with cloud provider secrets
name: Secure Deployment Pipeline
on:
push:
branches: [main]
jobs:
deploy-aws:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
# AWS OIDC authentication (no long-lived credentials)
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubActions
role-session-name: GitHubActions
aws-region: us-east-1
# Retrieve secrets from AWS Secrets Manager
- name: Get deployment secrets
run: |
# Get database credentials
DB_CREDS=$(aws secretsmanager get-secret-value \
--secret-id prod/database/credentials \
--query SecretString --output text)
echo "DB_HOST=$(echo $DB_CREDS | jq -r .host)" >> $GITHUB_ENV
echo "DB_PORT=$(echo $DB_CREDS | jq -r .port)" >> $GITHUB_ENV
echo "DB_NAME=$(echo $DB_CREDS | jq -r .database)" >> $GITHUB_ENV
echo "::add-mask::$(echo $DB_CREDS | jq -r .username)"
echo "DB_USER=$(echo $DB_CREDS | jq -r .username)" >> $GITHUB_ENV
echo "::add-mask::$(echo $DB_CREDS | jq -r .password)"
echo "DB_PASS=$(echo $DB_CREDS | jq -r .password)" >> $GITHUB_ENV
# Get API keys
API_KEYS=$(aws secretsmanager get-secret-value \
--secret-id prod/api/keys \
--query SecretString --output text)
echo "::add-mask::$(echo $API_KEYS | jq -r .stripe_key)"
echo "STRIPE_API_KEY=$(echo $API_KEYS | jq -r .stripe_key)" >> $GITHUB_ENV
# Use Parameter Store for configuration
- name: Get configuration
run: |
# Get all parameters by path
aws ssm get-parameters-by-path \
--path "/myapp/prod/" \
--recursive \
--with-decryption \
--query "Parameters[*].[Name,Value]" \
--output text | while read -r name value; do
# Convert parameter name to env var
var_name=$(echo ${name##*/} | tr '[:lower:]' '[:upper:]')
echo "${var_name}=${value}" >> $GITHUB_ENV
done
- name: Deploy application
run: |
# Secrets are now available as environment variables
./deploy.sh
deploy-azure:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Azure Login
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Get secrets from Key Vault
uses: Azure/get-keyvault-secrets@v1
with:
keyvault: "myapp-prod-kv"
secrets: 'DatabasePassword, ApiKey, StorageConnectionString'
id: keyvault
- name: Deploy to Azure
run: |
# Use secrets from Key Vault
export DB_PASSWORD='${{ steps.keyvault.outputs.DatabasePassword }}'
export API_KEY='${{ steps.keyvault.outputs.ApiKey }}'
export STORAGE_CONN='${{ steps.keyvault.outputs.StorageConnectionString }}'
./deploy-azure.sh