search

1Password / load-secrets-action

Load secrets from 1Password into your GitHub Actions jobs
https://developer.1password.com
MIT License
197 stars 27 forks source link

Copy 1Password plain notes file into .env #41

Open whobutsb opened 1 year ago

whobutsb commented 1 year ago

Hello All, I'm trying to deploy a Laravel application with a environment file saved in our 1Password vault as a secure note. In our github action we would like to use the latest copy of the environment file and add the contents to a .env during the deployment process. This is how we are currently doing it: 

      - name: Configure 1Password Connect
        uses: 1password/load-secrets-action/configure@v1
        with:
          # Persist the 1Password Service Account token. This will grant
          # all steps of the job access to the token.
          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

      # Get ENV content from 1Password
      - name: Load secret
        id: op-load-secret
        uses: 1password/load-secrets-action@v1.2.0
        with:
          export-env: true
        env:
          APP_ENV: "op://MyProject/Staging Environment/notesPlain"

      # Create ENV file
      - name: Copy the secret to .env
        run: 'echo $APP_ENV > .env'

When it gets to loading the .env file the contents of the file and error is message:

The environment file is invalid!
Failed to parse dotenv file. Encountered unexpected whitespace at ["Laravel Application" *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***].

Is there any way to unmask the contents?

In our local development process we have setup a Makefile command to help with downloading the latest environment file: 

env-staging:
    op read op://$(ACCOUNT_NAME)/$(ENV_STAGING)/notesPlain -o .env.staging
         cp .env.staging .env

It would be great mimic the functionality of the Makefile command with this github action.

Thank you!

Rohithgilla12 commented 1 year ago

I am currently stuck on this too. But using this script to unblock, I am not using this action and added a custom script.

      - name: Install 1Password Cli
        run: |
          curl https://cache.agilebits.com/dist/1P/op2/pkg/v2.18.0/op_linux_amd64_v2.18.0.zip > op.zip
          unzip op.zip
          sudo mv op /usr/local/bin
          rm op.zip

          op user get --me
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

      - name: Get 1Password Secrets
        run: op read op://api/dev/notesPlain > .env
        working-directory: ./api
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

This works good

mabilbao commented 1 year ago

Same issue here working with Secure Notes to handle my .envs.

@Rohithgilla12 your solution worked for me, thanks!

outragedhuman commented 1 year ago

Same issue here, would be great if there was a way load-secrets-action could handle this natively!

PauloGoncalvesBH commented 1 year ago

I am currently stuck on this too. But using this script to unblock, I am not using this action and added a custom script.

.........

This works good

Another solution using action 1password/install-cli-action:

  - name: Install 1Password CLI
    uses: 1password/install-cli-action@v1
    with:
      version: 2.18.0

  - name: Get 1Password Secrets
    run: op read op://api/dev/notesPlain > .env
    working-directory: ./api
    env:
      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
hopisaurus commented 9 months ago

I am currently stuck on this too. But using this script to unblock, I am not using this action and added a custom script.

.........

This works good

Another solution using action 1password/install-cli-action:

  - name: Install 1Password CLI
    uses: 1password/install-cli-action@v1
    with:
      version: 2.18.0

  - name: Get 1Password Secrets
    run: op read op://api/dev/notesPlain > .env
    working-directory: ./api
    env:
      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

Another solution using a .env.template with references to your 1P Vaults secret reference path. And then using a environment variable, such as $TARGET_ENV to toggle which vaults to get which environments secret from.

Using the op inject from the 1password/install-cli-action either as a basic run command, or via bash script that is passed arguments. 

TARGET_ENV="dev" op inject -f -i ".env.template" -o ".env"

The initial .env.template would contain the 1p secret reference paths: 

JWKS_ISSUER=op://$TARGET_ENV/jwks/JWKS_ISSUER
JWKS_URI=op://$TARGET_ENV/jwks/JWKS_URI
NODE_ENV=op://$TARGET_ENV/common/node_env
# gRPC endpoints:
GRPC__HEALTH__V1__HEALTH_GRPC=op://$TARGET_ENV/grpc/health_grpc