A Github Action that synchronizes the contents of a gopass repository to the Google Cloud Secret Manager.
gopass repository looking like
# gopass list
gopass
├── my-service
│ ├── mySecret
│ └── yourSecret
└── other-secret
├── theSecret
└── aSecret
becomes the following Secret Manager structure:
# gcloud secrets list
NAME CREATED REPLICATION_POLICY LOCATIONS
my-service_mySecret 2020-09-26T20:53:06 user_managed europe-west3
my-service_yourSecret 2020-09-26T22:08:37 user_managed europe-west3
other-secret_theSecret 2020-09-26T22:08:39 user_managed europe-west3
other-secret_aSecret 2020-09-26T19:11:09 user_managed europe-west3
Since Secret Manager keys need to match GCP resource id restrictions all slashes (/
) in gopass are mapped to underscores (_
).
Every history entry of a gopass secret:
# gopass history my-service/mySecret
6751b67b7a17f372478c9feda7357a28c65da407 - heubeck <[email protected]> - 2020-09-27T00:10:27+02:00 - Save secret to my-service/mySecret:
afdd4fdef1ce37935110028923182454c4d76059 - heubeck <[email protected]> - 2020-09-26T22:16:48+02:00 - Save secret to my-service/mySecret:
2651a49d85621ca89746d404b8f8f940ec218133 - heubeck <[email protected]> - 2020-09-26T18:54:35+02:00 - Save secret to my-service/mySecret:
497256fc7f5556b233a805fe0bc54929ba645792 - heubeck <[email protected]> - 2020-09-26T17:58:51+02:00 - Save secret to my-service/mySecret:
will become a separate version of the Secret Managers secrets:
# gcloud secrets versions list my-service_mySecret
NAME STATE CREATED DESTROYED
4 enabled 2020-09-26T22:11:23 -
3 enabled 2020-09-26T22:08:44 -
2 enabled 2020-09-26T22:08:42 -
1 enabled 2020-09-26T22:08:40 -
The first history entry will be version 1, the latest entry becomes the highest version.
Parameter | Description | Default | Required | Reference |
---|---|---|---|---|
project_id |
GCP project ID | true | gcloud | |
service_account_key |
Base64 encoded JSON key for GCP service account with the "Secret Manager Admin" role granted | true | gcloud auth | |
secret_locations |
GCP locations(s) as comma separated list to replicate the secrets | true | gcloud secrets create | |
gpg_public_key |
Base64 encoded public part of the GPG key | true | see below | |
gpg_private_key |
Base64 encoded private part of the GPG key | true | see below | |
github_token |
Token for the repo. Can be passed in using ${{ secrets.GITHUB_TOKEN }} | true | ||
gopass_repository |
gopass repository to synchronize from | current repo | false | |
debug |
Whether the gcloud commands should be printed to output | false |
false |
Public part of the GPG key used by this action to access the gopass repository. The value for this parameter can be created as follows:
# export to file
gpg --output public_key.gpg --armor --export E3C201F1FC162517237EB68F614A1B46F0583426
# create a one line base64 from file
cat public_key.gpg | base64 -w 0
Private part of the GPG key used by this action to access the gopass repository. The value for this parameter can be created as follows:
# export to file
gpg --output private_key.gpg --armor --export-secret-key E3C201F1FC162517237EB68F614A1B46F0583426
# create a one line base64 from file
cat private_key.gpg | base64 -w 0
Parameter | Description | Example |
---|---|---|
log | Text output about the created/updated secrets | my-service/mySecret(my-service_mySecret) created; other-service/theSecret(other-service_theSecret) updated to 2; |
The recommended way of use is to create a .github/workflows/sync.yml
job description like the following in the gopass repository:
name: Synchronize
on: push
jobs:
sync:
name: Synchronize to Google Secret Manager
runs-on: ubuntu-latest
steps:
- name: gopass Synchronize
uses: p1nkun1c0rns/gopass-google-secret-manager-action@master
with:
service_account_key: ${{ secrets.GOOGLE_SERVICEACCOUNT_KEY }}
project_id: your-gcp-project-id
secret_locations: europe-west3
gpg_public_key: ${{ secrets.GPG_PUBLIC_KEY }}
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
github_token: ${{ secrets.GITHUB_TOKEN }}
Every change in the gopass repository will be immediately synchronized to the GCP Secret Manager, gopass will keep the .github
folder, you can use it as usual.
Instead of using the latest (@master
) or a tagged version there's always a prebuild image in the action
branch:
- name: gopass Synchronize
uses: p1nkun1c0rns/gopass-google-secret-manager-action@action
Welcomed
Right now, the sync is unidirectional and append only. That means, that new gopass history entries are added as new secret versions and missing secrets are created, but removed gopass entries will be deleted in secret manager.
Furthermore, there's no back-sync to the gopass repository, neither about which secrets were created/updated in Secret Manager nor are manual changes in the Secret Manager corrected by the next sync from gopass.