A GitHub Action that allows settings to be pulled from an Azure App Configuration store.
It is intended to be analogous to the Azure Pipelines Azure App Configuration task.
With the Get Azure App Configuration action, you can fetch key values from an Azure App Configuration instance and consume them in your GitHub Action workflows.
The definition of this GitHub Action is in action.yml.
Values fetched will be set as outputs of the app configuration action instance and can be consumed in the subsequent actions in the workflow using the notation: ${{ steps.<Id-of-the-AppConfiguration-Action>.outputs.<Secret-Key> }}. In addition, secrets are also set as environment variables. By default, variables are not automatically masked if printed to the console or logs.
- uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- uses: flcdrg/get-azure-app-configuration-action@v2
id: get-app-configuration
with:
resourceGroup: ${{ secrets.RESOURCE_GROUP }}
appConfigurationName: ${{ secrets.APP_CONFIGURATION }}
keyFilter: 'key1'
- run: echo ${{ steps.get-app-configuration.outputs.key1 }}Various inputs are defined in action.yml to let you configure this action:
| Name | Description |
|---|---|
resourceGroup |
The name of the resource group that contains the App Configuration resource |
appConfigurationName |
The name of the App Configuration resource |
keyFilter |
See below |
labelFilter |
See below |
Filters for keys. There are two types of matching:
- Exact matching. Up to 5 key names are allowed, separated by commas (',')
- Wildcard matching. A single wildcard expression can be specified.
| Value | Matches |
|---|---|
omitted or * |
Matches any key |
abc |
Matches a key named abc |
abc* |
Matches key names that start with abc |
These characters are reserved and must be prefixed with a backslash to be specified: * or \ or ,
Filters for labels. There are two types of matching:
- Exact matching. Up to 5 labels are allowed, separated by commas (',')
- Wildcard matching. A single wildcard expression can be specified.
| Value | Matches |
|---|---|
omitted or * |
Matches any key |
%00 |
Matches any key without a label |
prod |
Matches a key with label named prod |
prod* |
Matches key with label names that start with prod |
These characters are reserved and must be prefixed with a backslash in order
to be specified: * or \ or ,
Azure App Configuration can reference Key Vault secrets. In order for this to work with your GitHub Action, you need to ensure the following:
- The Azure Key Vault needs to be accessible from the GitHub Action agent. For GitHub-hosted agents, this means you'll need to allow public access from all networks.
- The service principal used to log in to Azure will require the ability to read secrets. Either via an access policy or if using RBAC then the Key Vault Secrets User role.
Create a new service principal with contributor access to a resource group.
az ad sp create-for-rbac --name "app-config-action" --role contributor `
--scopes /subscriptions/{subscription-id}/resourceGroups/`{resource-group} `
--sdk-authFind existing service principal
az ad sp list --query "[?displayName == 'app-config-action']"Renew service principal secret
az ad sp credential reset --id 4715aece-8daf-4a1a-8f0e-e5eddc9bf8de --display-name rbac --years 1