Overview
This article provides an overview of managing Connection Secrets with Deploy CLI and Github.
Applies To
- Connection Secrets
- Deploy CLI
- GitHub
Solution
The overall approach is to
- Set the GitHub secret
- Configure the GitHub Actions environment variable to use that secret
- Use the environment variable in the Auth0 deployment
Details:
By default, the Deploy CLI will leverage Environment Variables to replace keywords in the yaml or json files, so it is required to replace any secret value with something similar to the below example:
#tenant.yaml
...
connections:
- name: google-oauth2
options
client_secret: ##GOOGLE_CLIENT_SECRET##
...
Next, assign the correct value to that environment variable. Test this locally with export GOOGLE_CLIENT_SECRET=<your secret>. After running the deploy command, the environment variable value is injected into the deployment.
To get this working with GitHub Actions, edit the workflow yaml file to set the appropriate environment variable. For example, if this were the “DEV” environment:
...
env:
GOOGLE_CLIENT_SECRET: ${{ secrets.DEV_GOOGLE_CLIENT_SECRET}}
...
Next, add the actual secret value as an encrypted GitHub secret called DEV_GOOGLE_CLIENT_SECRET.
The same approach can be used to add secrets to the config.json file as well.
Note: If the tenant config was exported from Auth0 using the EXCLUDED_PROPS it will simply remove these lines altogether. It is recommended to not use GitHub actions for the export command.
To preserve the mappings, export locally, then un-stage the lines removed due to the EXCLUDED_PROPS setting before committing to the Repo.