This action retrieves temporary credentials from Aembit for use in your GitHub workflows. It enables secure, secretless access to external systems like cloud providers or APIs by dynamically fetching scoped credentials at runtime. This helps improves security within CI/CD pipelines.
Important
This Action retrieves an OIDC token for your workflow from GitHub to attest its identity with Aembit. Your workflow must have the following permission for it to work.
permissions:
id-token: writeIn Aembit, your Client Workload must use the GitHub ID Token Repository identifier,
in the format org-name/repository-name. We plan to add support for the GitHub ID Token Subject
identifier in future releases.
The Trust Provider in your Access Policy must be of type GitHub Action ID Token, using a repository Match Rule
with a value that includes the org/repository of your workflow. Other Match Rule attributes may work but have not been
tested.
- uses: Aembit/get-credentials@v1
id: step-id # This is required as output of this step is passed to the next step(s).
with:
# Aembit Edge SDK Client ID.
# The unique identifier for your GitHub Trust Provider in Aembit.
# You can find it by logging into your Aembit tenant, navigating to Trust Providers, selecting your GitHub Trust Provider, and copying the Edge SDK Client ID.
# This is a required field.
client-id: ''
# Specifies the type of credential to retrieve from Aembit.
# Valid values are: ApiKey, UsernamePassword, OAuthToken, GoogleWorkloadIdentityFederation, AwsStsFederation
# This is a required field.
credential-type: ''
# Server Workload - Service Endpoint Host
# Used to access server workload which in turn is used to access credentials.
# You can find it by logging into your Aembit tenant, navigating to Server Workloads, selecting your desired Server Workload, and copying the Service Endpoint Host.
server-host: ''
# Server Workload - Service Endpoint Port
# Used to access server workload which in turn is used to access credentials.
# You can find it by logging into your Aembit tenant, navigating to Server Workloads, selecting your desired Server Workload, and copying the Service Endpoint Port.
# Default: 443
server-port: 443
The outputs available depend on the credential-type specified:
outputs:
# API key credential
# Usage: ${{ steps.step-id.outputs.api-key }}
api-key: '****'outputs:
# Username credential
# Usage: ${{ steps.step-id.outputs.username }}
username: '****'
# Password credential
# Usage: ${{ steps.step-id.outputs.password }}
password: '****'outputs:
# OAuth token credential
# Usage: ${{ steps.step-id.outputs.token }}
token: '****'outputs:
# Google Workload Identity Federation token
# Usage: ${{ steps.step-id.outputs.token }}
token: '****'outputs:
# AWS Access Key ID
# Usage: ${{ steps.step-id.outputs.aws-access-key-id }}
aws-access-key-id: '****'
# AWS Secret Access Key
# Usage: ${{ steps.step-id.outputs.aws-secret-access-key }}
aws-secret-access-key: '****'
# AWS Session Token
# Usage: ${{ steps.step-id.outputs.aws-session-token }}
aws-session-token: '****'Note
All the outputs generated by this action are GitHub masked secrets.
If you are getting the error
Error: Invalid or currently unsupported credential type: Unknown
then Aembit cannot connect your GitHub workflow with an access policy that identifies a credential to return. Some things to double-check in your configuration are:
- the Client Workload in Aembit has the right
org/repositoryidentifier for your workflow - the Trust Provider in Aembit allows the
org/repositoryfor your workflow - the
credential-typevalue in the Action config matches the type of Credential Provider in your Access Policy - the
server-hostandserver-portvalues in the Action config match the Server Workload in your Access Policy