Contact UsGet started

Getting Yandex Lockbox secret value on the GitHub side

Written by
Updated at May 7, 2025

Workload identity federations allow you to configure a link between external systems and Yandex Cloud via the OpenID Connect (OIDC) protocol. This allows external systems to perform actions on Yandex Cloud resources on behalf of service accounts without using authorized keys. This is a more secure method that minimizes the risk of credential leakage and the possibility of unauthorized access.

This tutorial shows you as an example how to get the Yandex Lockbox secret value from the GitHub side under a Yandex Cloud service account. Similarly, you can perform any action via the Yandex Cloud CLI, API, or Terraform.

To get the Yandex Lockbox secret value under a GitHub account:

  1. Create a repository in GitHub.
  2. Get your cloud ready.
  3. Configure a GitHub Actions script.

If you no longer need the resources you created, delete them.

Create a repository in GitHub

Create a new GitHub repository or use an existing one where you have permissions to view and run GitHub Actions.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support cost includes a fee for storing a secret and requests to it (see Yandex Lockbox pricing).

Create a workload identity federation

  1. In the management console, select the folder where you want to create a workload identity federation.
  2. From the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Workload identity federations.
  4. Click Create federation.
  5. In the Issuer value (iss) field, enter the OIDC provider's URL: https://token.actions.githubusercontent.com.
  6. In the Acceptable Audience values (AUD) field, enter the token recipient: https://github.com/<github_user_name>.
  7. In the JWKS address field, enter the URL of the public key list: https://token.actions.githubusercontent.com/.well-known/jwks.
  8. In the Name field, enter a name for the federation, e.g., test-iam-federation.
  9. Click Create.

Create a custom secret

  1. In the management console, select the folder where you want to create your secret.
  2. From the list of services, select Lockbox.
  3. Click Create secret.
  4. In the Name field, enter a name for the secret: MY_SECRET.
  5. Select Secret type Custom.
  6. In the Key field, enter a non-secret ID, e.g., secret.
  7. In the Value field, enter the confidential data you want to store.
  8. Click Create.

Create a service account.

  1. Create a service account:

    1. In the management console, select the folder where you want to create a service account.
    2. In the list of services, select Identity and Access Management.
    3. Click Create service account.
    4. Enter a name for the service account, e.g., sa-lockbox.
    5. Click Create.

  2. Assign the lockbox.payloadViewer role for the folder to the service account:

    1. On the management console home page, select a folder.
    2. Navigate to the Access bindings tab.
    3. Find the sa-lockbox account in the list and click .
    4. Click Edit roles.
    5. In the dialog that opens, click Add role and select the lockbox.payloadViewer role.
  1. In the management console, select the folder the service account was created in.
  2. From the list of services, select Identity and Access Management.
  3. In the list of service accounts, select sa-lockbox.
  4. Navigate to the Workload identity federations tab.
  5. Click Link to federation.
  6. In the Workload identity federation field, select the federation you created earlier.
  7. In the Subject value (sub) field, specify the external account ID: repo:<github_user_name>/<github_repository_name>:ref:refs/heads/main.
  8. Click Link.

Configure a GitHub Actions script

  1. Clone your repository if you have not done so already:

    git clone <repository_URL>

  2. In a local copy of your repository, create a file named blank.yml in the .github/workflows directory.

  3. Insert the following code into the blank.yml file that will get the value of the Yandex Lockbox secret:

    name: CI

permissions:
  id-token: write # Required to request a JWT token

# Controls when the workflow will run
on:
  # Runs a script on push or pull request in the _main_ branch
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

  # Allows running a script manually in the Actions tab
  workflow_dispatch:

jobs:
  job:
    runs-on: ubuntu-latest
    steps:
    - name: Install OIDC Client from Core Package
      run: npm install @actions/core @actions/http-client
    # Getting the workflow task token
    - name: Get Id Token
      uses: actions/github-script@v7
      id: tokenid
      with:
        script: |
          const coredemo = require('@actions/core')
          let id_token = await coredemo.getIDToken()
          coredemo.setOutput('id_token', id_token)
    # Exchanging the workflow task token for an IAM token of a service account in Yandex Cloud
    - name: GetIAMToken
      run: |
        SA_ID="<service_account_ID>"
        IAMTOKEN=$(curl -sH "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange&requested_token_type=urn:ietf:params:oauth:token-type:access_token&audience=$SA_ID&subject_token=${{steps.tokenid.outputs.id_token}}&subject_token_type=urn:ietf:params:oauth:token-type:id_token" -X POST https://auth.yandex.cloud/oauth/token | jq -r '.access_token')
        echo "IAMToken=${IAMTOKEN}" >> $GITHUB_OUTPUT
      id: IAMtoken
    # Requesting secret value via the API using an IAM token in Yandex Cloud
    - name: GetLockboxPayload
      run: |
        SECRET_ID="<secret_ID>"
        SECRET_DATA=$(curl -sH "Authorization: Bearer ${{steps.IAMtoken.outputs.IAMTOKEN}}" https://payload.lockbox.api.cloud.yandex.net/lockbox/v1/secrets/$SECRET_ID/payload)
        echo "SECRET_DATA=${SECRET_DATA}" >> $GITHUB_OUTPUT
      id: getlockboxpayload

    Where:

    • SA_ID: Service account ID.
    • SECRET_ID: Custom secret ID.

  4. Save the file and submit the changes to the remote repository:

    git add . && git commit -m "Added blank.yml" && git push

    Once you submit the code to the repository, the workflow will begin. You can see the script execution result logged on your repository's Actions tab:

    {
"entries": [
{
   "key": "secret",
   "textValue": "67cH2£?pO********"
}
],
"versionId": "e6q8isknpcp7********"
}

Delete the resources you created

Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:

See also

Previous
Auto Unseal in Hashicorp Vault
Next
GitLab