Creating the github secret name dynamically

mehmetberksouksutb · November 5, 2021, 3:40pm

Hello,

I have a project that deploy my product via GIthub Actions. I created the script and eploying my product to Azure and for that I need to access to Azure via Github Actions. For every deployment I have a different Azure Credentials and it is stored in the organizational secret. I want to access this dynamically.

For example, the name of the project is TRY, the name of the secret will be AZURE_CREDENTIAL_TRY. SO to be able to call it dynamically, I need to do something like this:
${{ secrets.AZURE_CREDENTIAL_ }}. So I need to concatinate them inside the secret definition, but I am not sure if it is applicable or anyone that knows other ways to achieve this.

jsoref · May 13, 2022, 7:22pm

My guess and hope is that this isn’t possible, the security ramifications for it are too scary.

I’d suggest a reusable workflow (or an action) that takes a credential.

Then add a template (or something that is effectively a template) and in each templated version just fill in the specific credential you’re using and the name of the thing and have that call the reusable workflow/action.

Simran-B · May 15, 2022, 1:13am

You can access secrets dynamically using the bracket notation:

${{ secrets[format('AZURE_CREDENTIAL_{0}', env.PROJECT_NAME)] }}

The use of env here is just an example, you could also set an output in a previous step and then refer to it in the expression.

CrusaderX · May 16, 2022, 10:25am

You can do that with workflow input. Let’s imagine, that your input contains

      credentials:
        type: choice
        required: true
        default: TRY
        options:
          - TRY
          - NO_TRY
          - ANOTHER_TRY
jobs:
  configure:
    runs-on: ubuntu-latest
    outputs:
      AZURE_CREDENTIAL: ${{ steps.configs.outputs.AZURE_CREDENTIAL }}
    steps:
      - name: set configurations for the rest of pipeline
         id: configs
         run: |
           echo "::set-output name= AZURE_CREDENTIAL:: AZURE_CREDENTIAL_${{ github.event.inputs.credentials }}"

And you can get access to the secrets via format ${{ secrets[..outputs.AZURE_CREDENTIAL] }} between jobs or another syntax, depends on your case, for instsance:

  build:
    needs: configure
    runs-on: ubuntu-latest
    steps:
      - name: use my secrets
         env: 
           AZURE_CREDENTIAL: ${{ secrets[needs.configure.outputs.AZURE_CREDENTIAL] }}
         run: |
           ...