Creating the github secret name dynamically

Hello,

I have a project that deploy my product via GIthub Actions. I created the script and eploying my product to Azure and for that I need to access to Azure via Github Actions. For every deployment I have a different Azure Credentials and it is stored in the organizational secret. I want to access this dynamically.

For example, the name of the project is TRY, the name of the secret will be AZURE_CREDENTIAL_TRY. SO to be able to call it dynamically, I need to do something like this:
${{ secrets.AZURE_CREDENTIAL_ }}. So I need to concatinate them inside the secret definition, but I am not sure if it is applicable or anyone that knows other ways to achieve this.

My guess and hope is that this isn’t possible, the security ramifications for it are too scary.

I’d suggest a reusable workflow (or an action) that takes a credential.

Then add a template (or something that is effectively a template) and in each templated version just fill in the specific credential you’re using and the name of the thing and have that call the reusable workflow/action.

You can access secrets dynamically using the bracket notation:

${{ secrets[format('AZURE_CREDENTIAL_{0}', env.PROJECT_NAME)] }}

The use of env here is just an example, you could also set an output in a previous step and then refer to it in the expression.

2 Likes

You can do that with workflow input. Let’s imagine, that your input contains

      credentials:
        type: choice
        required: true
        default: TRY
        options:
          - TRY
          - NO_TRY
          - ANOTHER_TRY
jobs:
  configure:
    runs-on: ubuntu-latest
    outputs:
      AZURE_CREDENTIAL: ${{ steps.configs.outputs.AZURE_CREDENTIAL }}
    steps:
      - name: set configurations for the rest of pipeline
         id: configs
         run: |
           echo "::set-output name= AZURE_CREDENTIAL:: AZURE_CREDENTIAL_${{ github.event.inputs.credentials }}"

And you can get access to the secrets via format ${{ secrets[..outputs.AZURE_CREDENTIAL] }} between jobs or another syntax, depends on your case, for instsance:

  build:
    needs: configure
    runs-on: ubuntu-latest
    steps:
      - name: use my secrets
         env: 
           AZURE_CREDENTIAL: ${{ secrets[needs.configure.outputs.AZURE_CREDENTIAL] }}
         run: |
           ...