Getting the Lockbox secret value on the GitHub side
Workload identity federations allow you to configure a link between external systems and Yandex Cloud via the OpenID Connect
This tutorial shows you as an example how to get the Yandex Lockbox secret value from the GitHub side under a Yandex Cloud service account. Similarly, you can perform any action via the Yandex Cloud CLI, API, or Terraform
To get the Yandex Lockbox secret value under a GitHub account:
If you no longer need the resources you created, delete them.
Create a repository in GitHub
Create
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes a fee for storing a secret and requests to it (see Yandex Lockbox pricing).
Create a workload identity federation
- In the management console
, select the folder where you want to create a workload identity federation. - In the list of services, select Identity and Access Management.
- Go to the Workload identity federations tab.
- Click Create federation.
- In the Issuer value (iss) field, enter the OIDC provider's URL:
https://token.actions.githubusercontent.com
. - In the Acceptable Audience values (AUD) field, enter the token recipient:
https://github.com/<github_user_name>
. - In the JWKS address field, enter the URL of the public key list:
https://token.actions.githubusercontent.com/.well-known/jwks
. - In the Name field, enter a name for the federation, e.g.,
test-iam-federation
. - Click Create.
Create a custom secret
- In the management console
, select the folder where you want to create a secret. - In the list of services, select Lockbox.
- Click Create secret.
- In the Name field, enter a name for the secret:
MY_SECRET
. - Select Secret type
Custom
. - In the Key field, enter a non-secret ID, e.g.,
secret
. - In the Value field, enter the confidential data you want to store.
- Click Create.
Create a service account.
-
Create a service account:
Management console- In the management console
, select the folder where you want to create a service account. - In the list of services, select Identity and Access Management.
- Click Create service account.
- Enter a name for the service account, e.g.,
sa-lockbox
. - Click Create.
- In the management console
-
Assign the
lockbox.payloadViewer
role for the folder to the service account:Management console- On the management console home page
, select a folder. - Go to the Access bindings tab.
- Find the
sa-lockbox
account in the list and click . - Click Edit roles.
- Click
Add role in the dialog that opens and select thelockbox.payloadViewer
role.
- On the management console home page
Link the service account to the Federation
- In the management console
, select the folder the service account was created in. - In the list of services, select Identity and Access Management.
- From the list, select the
sa-lockbox
service account. - Go to the Workload identity federations tab.
- Click Link to federation.
- In the Workload identity federation field, select the federation you created earlier.
- In the Subject value (sub) field, specify the external account ID:
repo:<github_user_name>/<github_repository_name>:ref:refs/heads/main
. - Click Link.
Configure a GitHub Actions script
-
Clone your repository if you have not done so already:
git clone <repository_URL>
-
In a local copy of your repository, create a file named
blank.yml
in the.github/workflows
directory. -
Insert the following code into the
blank.yml
file that will get the value of the Yandex Lockbox secret:name: CI permissions: id-token: write # Required to request a JWT token # Controls when the workflow will run on: # Runs a script on push or pull request in the _main_ branch push: branches: [ "main" ] pull_request: branches: [ "main" ] # Allows running a script manually in the Actions tab workflow_dispatch: jobs: job: runs-on: ubuntu-latest steps: - name: Install OIDC Client from Core Package run: npm install @actions/core @actions/http-client # Getting the workflow task token - name: Get Id Token uses: actions/github-script@v7 id: tokenid with: script: | const coredemo = require('@actions/core') let id_token = await coredemo.getIDToken() coredemo.setOutput('id_token', id_token) # Exchanging the workflow task token for an IAM token of a service account in Yandex Cloud - name: GetIAMToken run: | SA_ID="<service_account_ID>" IAMTOKEN=$(curl -sH "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange&requested_token_type=urn:ietf:params:oauth:token-type:access_token&audience=$SA_ID&subject_token=${{steps.tokenid.outputs.id_token}}&subject_token_type=urn:ietf:params:oauth:token-type:id_token" -X POST https://auth.yandex.cloud/oauth/token | jq -r '.access_token') echo "IAMToken=${IAMTOKEN}" >> $GITHUB_OUTPUT id: IAMtoken # Requesting secret value via the API using an IAM token in Yandex Cloud - name: GetLockboxPayload run: | SECRET_ID="<secret_ID>" SECRET_DATA=$(curl -sH "Authorization: Bearer ${{steps.IAMtoken.outputs.IAMTOKEN}}" https://payload.lockbox.api.cloud.yandex.net/lockbox/v1/secrets/$SECRET_ID/payload) echo "SECRET_DATA=${SECRET_DATA}" >> $GITHUB_OUTPUT id: getlockboxpayload
Where:
SA_ID
: Service account ID.SECRET_ID
: Custom secret ID.
-
Save the file and submit the changes to the remote repository:
git add . && git commit -m "Added blank.yml" && git push
Once you submit the code to the repository, the workflow will begin. You can see the script execution result logged on your repository's
Actions
tab:{ "entries": [ { "key": "secret", "textValue": "67cH2£?pO********" } ], "versionId": "e6q8isknpcp7********" }
Delete the resources you created
Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:
- Yandex Lockbox secret
- Service account