Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Copy 1Password plain notes file into .env #41

Open
whobutsb opened this issue Apr 28, 2023 · 5 comments
Open

Copy 1Password plain notes file into .env #41

whobutsb opened this issue Apr 28, 2023 · 5 comments

Comments

@whobutsb
Copy link

whobutsb commented Apr 28, 2023
edited
Loading

Hello All,
I'm trying to deploy a Laravel application with a environment file saved in our 1Password vault as a secure note. In our github action we would like to use the latest copy of the environment file and add the contents to a .env during the deployment process. This is how we are currently doing it:

      - name: Configure 1Password Connect
        uses: 1password/load-secrets-action/configure@v1
        with:
          # Persist the 1Password Service Account token. This will grant
          # all steps of the job access to the token.
          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

      # Get ENV content from 1Password
      - name: Load secret
        id: op-load-secret
        uses: 1password/[email protected]
        with:
          export-env: true
        env:
          APP_ENV: "op://MyProject/Staging Environment/notesPlain"

      # Create ENV file
      - name: Copy the secret to .env
        run: 'echo $APP_ENV > .env'

When it gets to loading the .env file the contents of the file and error is message:

The environment file is invalid!
Failed to parse dotenv file. Encountered unexpected whitespace at ["Laravel Application" *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***].

Is there any way to unmask the contents?

In our local development process we have setup a Makefile command to help with downloading the latest environment file:

env-staging:
	op read op://$(ACCOUNT_NAME)/$(ENV_STAGING)/notesPlain -o .env.staging
         cp .env.staging .env

It would be great mimic the functionality of the Makefile command with this github action.

Thank you!
@Rohithgilla12
Copy link

I am currently stuck on this too.
But using this script to unblock, I am not using this action and added a custom script.

      - name: Install 1Password Cli
        run: |
          curl https://cache.agilebits.com/dist/1P/op2/pkg/v2.18.0/op_linux_amd64_v2.18.0.zip > op.zip
          unzip op.zip
          sudo mv op /usr/local/bin
          rm op.zip

          op user get --me
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

      - name: Get 1Password Secrets
        run: op read op://api/dev/notesPlain > .env
        working-directory: ./api
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

This works good

@mabilbao
Copy link

Same issue here working with Secure Notes to handle my .envs.

@Rohithgilla12 your solution worked for me, thanks!

@outragedhuman
Copy link

Same issue here, would be great if there was a way load-secrets-action could handle this natively!

@PauloGoncalvesBH
Copy link

I am currently stuck on this too. But using this script to unblock, I am not using this action and added a custom script.

.........

This works good

Another solution using action 1password/install-cli-action:

  - name: Install 1Password CLI
    uses: 1password/install-cli-action@v1
    with:
      version: 2.18.0

  - name: Get 1Password Secrets
    run: op read op://api/dev/notesPlain > .env
    working-directory: ./api
    env:
      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

@hopisaurus
Copy link

I am currently stuck on this too. But using this script to unblock, I am not using this action and added a custom script.

.........

This works good

Another solution using action 1password/install-cli-action:

  - name: Install 1Password CLI
    uses: 1password/install-cli-action@v1
    with:
      version: 2.18.0

  - name: Get 1Password Secrets
    run: op read op://api/dev/notesPlain > .env
    working-directory: ./api
    env:
      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

Another solution using a .env.template with references to your 1P Vaults secret reference path. And then using a environment variable, such as $TARGET_ENV to toggle which vaults to get which environments secret from.

Using the op inject from the 1password/install-cli-action either as a basic run command, or via bash script that is passed arguments.

TARGET_ENV="dev" op inject -f -i ".env.template" -o ".env"

The initial .env.template would contain the 1p secret reference paths:

JWKS_ISSUER=op://$TARGET_ENV/jwks/JWKS_ISSUER
JWKS_URI=op://$TARGET_ENV/jwks/JWKS_URI
NODE_ENV=op://$TARGET_ENV/common/node_env
# gRPC endpoints:
GRPC__HEALTH__V1__HEALTH_GRPC=op://$TARGET_ENV/grpc/health_grpc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@whobutsb @outragedhuman @mabilbao @Rohithgilla12 @hopisaurus @PauloGoncalvesBH