项目作者: miklosn

项目描述 :
Rotate Google Service Account Keys for Github Actions
高级语言: Python
项目地址: git://github.com/miklosn/github-action-rotate-gcp-key.git
创建时间: 2020-10-27T17:21:13Z
项目社区:https://github.com/miklosn/github-action-rotate-gcp-key

开源协议:

下载


github-action-rotate-gcp-key

This action rotates GCP service account keys in with the following method:

  1. Create a new key for the SA
  2. Update the specified Github secret (in one or more repos)
  3. Delete all keys which do not equal the newly created key and which are also older than 5 minutes (to prevent race errors)

Example workflow

  1. name: Rotate GCP service account key
  2. #on:
  3. # schedule:
  4. # - cron: '0 12 * * 1'
  5. on: [workflow_dispatch]
  6. jobs:
  7. rotate:
  8. name: rotate gcp key
  9. runs-on: ubuntu-latest
  10. steps:
  11. - uses: actions/checkout@v2.0.0
  12. - name: Setup GCP Service Account
  13. uses: google-github-actions/setup-gcloud@master
  14. with:
  15. service_account_key: ${{ secrets.GCP_SA_INFRA_KEY }}
  16. export_default_credentials: true
  17. - name: rotate gcp keys
  18. uses: miklosn/github-action-rotate-gcp-key@main # WARNING: use explicit Git commit sha instead of 'main' to avoid becoming a victim of supply chain attacks
  19. with:
  20. projectId: "example"
  21. serviceAccount: "github-actions@example.iam.gserviceaccount.com"
  22. personalAccessToken: "${{ secrets.PERSONAL_ACCESS_TOKEN }}"
  23. repositories: ${{ github.repository }}
  24. secretName: "GCP_SA_INFRA_KEY"

Inputs

projectId: GCP project id to operate on

serviceAccount: e-mail ID of the service account to operate on

personalAccessToken: github token with permission to add/update secrets on a repo basis

secretName: name of the Github secret to update

repositories: one or multiple github repos. If multiple repos are specified they need to be separated by commas.
The secret will be updated in all repos.