Reading 1Passwords Secrets within GitHub Actions

Options
bloudraak
bloudraak
Community Member
edited May 2023 in Secrets Automation

I'm unable to use 1Password to retrieve secrets as part of a CI/CD pipeline on a self-hosted GitHub Actions Runner with a restricted user, since load-secrets-action@v1 is downloading the 1Password CLI and then trying to install it to /usr/local/bin/op. It's preinstalled by root and resides in /usr/bin/op. Since it's a permanent host (as opposed to temporary hosts provided by GitHub), allowing the user under which GitHub Runner is running any privileged access would be problematic. Just imagine what kind of damage compromised toolchains could cause.

Setup:

  • Operating System: Ubuntu 22.04
  • Architecture: amd64
  • User: github (normal user, no sudo access)
  • GitHub Actions Runner: Self Hosted
  • 1Password CLI: installed by root and resides in /usr/bin/op)

GitHub Actions

  name: Bootstrap 1Password
  run-name: 1Password🚀
  on:
    workflow_dispatch:

  jobs:
    bootstrap:
      runs-on: [self-hosted, linux, x64]
      steps:
        - name: Checkout
          uses: actions/checkout@v3

        - name: Configure 1Password Connect
          uses: 1password/load-secrets-action/configure@v1
          with:
            connect-host: ${{ secrets.OP_CONNECT_TOKEN }}
            connect-token: ${{ secrets.OP_CONNECT_TOKEN }}

        - name: Load secret
          uses: 1password/load-secrets-action@v1
          env:
            USERNAME: op://myvault/mysecret/myfield

Output

  2023-05-28T14:47:15.1390034Z [command]/usr/bin/sh -c /home/github/_work/_actions/1password/load-secrets-action/v1/entrypoint.sh
  2023-05-28T14:47:15.1618746Z Authenticated with CONNECT 
  2023-05-28T14:47:16.0312187Z Archive:  op.zip
  2023-05-28T14:47:16.0327837Z error:  cannot create /usr/local/bin/op.sig
  2023-05-28T14:47:16.0328940Z         Permission denied
  2023-05-28T14:47:16.0337384Z error:  cannot create /usr/local/bin/op
  2023-05-28T14:47:16.0338418Z         Permission denied
  2023-05-28T14:47:16.0513651Z ##[error]The process '/usr/bin/sh' failed with exit code 50

Any suggestions to resolve this?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Ubuntu 22.04
Browser:_ Not Provided

Comments

This discussion has been closed.