search

hashicorp / vault-action

A GitHub Action that simplifies using HashiCorp Vault™ secrets as build variables.
MIT License
424 stars 133 forks source link

[FEAT] Add Option: `ignoreKeyNotFound` #551

Open xsfa opened 2 months ago

xsfa commented 2 months ago

The Problem

When programmatically passing in vault keys, if the key does not exist I would like the option for the resulting value to be a null or default value.

Proposed Solution

- name: Import Secrets
  uses: actions/vault-action@v3.0.0
  with:
    url: ${{ env.url }}
    method: approle
    roleId: ${{ env.role_id }}
    secretId: ${{ env.secret_id }}
    caCertificate: ${{ secrets.vault_ca_cert }}
    ignoreKeyNotFound: true # ***
    defaultValue: null # *** or 'string', defaults to null
    secrets: |
      ${{ env.secret_path }} credentials.${{ env.PREFIX }}.username | username ;
      ${{ env.secret_path }} credentials.${{ env.PREFIX }}.password | password ;

Explored Alternatives

Both approaches are messy/hacky and not scalable

xsfa commented 2 months ago

I looked through the code and have an idea on how to implement this, will try to open a PR in the coming days.

fairclothjm commented 2 months ago

@xsfa Are you aware of the ignoreNotFound option? Does this solve the issue for you?

xsfa commented 2 months ago

@xsfa Are you aware of the ignoreNotFound option? Does this solve the issue for you?

@fairclothjm I tried it, I believe this option only handles cases where the secret is not found, not when a key within the secret is not found.