Version for rotate organization secret, cloned from kneemaa/github-action-rotate-aws-secrets
Maintainer Dmitry Teikovtsev [email protected]
- secret visibility only private - Private repositories in an organization can access. May be later add visibility for all and selected variant
- Required: True
- Description: Access Key ID to authenticate with AWS. You can use
${{secrets.ACCESS_KEY_ID}}
- Should be in organization secrets
- Required: True
- Description: Secret Access Key ID to authenticate with AWS. You can use
${{secrets.SECRET_ACCESS_KEY_ID}}
- Should be in organization secrets
- Required: False
- Description: Session Token for the current AWS session. Only required if you assume a role first.
- Should be in organization secrets
- Required: False
- Description: Name of IAM user being rotated, if not set the username which is used in the AWS credentials is used
- Can be in repository secrets or in organization secrets or plaintext
- Required: True
- Description: Github Token with Repo Admin access of the target repo. As of 4/16/2020
${{github.token}}
does not have permission to query the Secrets API. The existing env var GITHUB_TOKEN which is added automatically to all runs does not have the access secrets. - Can be in repository secrets or in organization secrets
- Required: True
- Description: The owner repository name. For example, octocat. If being ran in the repo being updated, you can use
${{github.repository_owner}}
- Required: True
- Description: The repository name. For example, octocat. If being ran in the repo being updated, you can use
${{github.repository}}
- Required: False
- Default:
access_key_id
- Description: Name of the secret for the Access Key ID. Setting this overrides the default.
- Can be in repository secrets or in organization secrets or plaintext
- Required: False
- Default:
secret_key_id
- Description: Name of the secret for the Secret Access Key ID. Setting this overrides the default.
- Can be in repository secrets or in organization secrets or plaintext
on:
schedule:
- cron: '* 13 * * 1'
jobs:
rotate:
name: rotate iam user keys
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: rotate aws keys
uses: airslate-ops/[email protected]
env:
AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
IAM_USERNAME: 'iam-user-name'
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
OWNER_ORGANIZATION: ${{ github.repository_owner }}
OWNER_REPOSITORY: {{ github.repository }}
on:
schedule:
- cron: '* 13 * * 1'
jobs:
rotate:
name: rotate iam user keys
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: rotate aws keys
uses: airslate-ops/[email protected]
env:
AWS_ACCESS_KEY_ID: ${{ secrets.access_key_name }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.secret_key_name }}
IAM_USERNAME: 'iam-user-name'
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
OWNER_ORGANIZATION: ${{ github.repository_owner }}
OWNER_REPOSITORY: {{ github.repository }}
- name: Send Slack Status
if: failure()
uses: 8398a7/[email protected]
with:
status: ${{job.status}}
author_name: kneemaa-aws-rotation-action
username: kneemaa-rotation-bot
text: Rotating the token had a status of ${{ job.status }}
channel: alerts-test
env:
SLACK_WEBHOOK_URL: https://hooks.slack.com/services/.../...
The Dockerfile and associated scripts and documentation in this project are released under the MIT License.