GitPedia

Get secretmanager secrets

A GitHub Action for accessing secrets from Google Secret Manager and making them available as outputs.

From google-github-actions·Updated June 15, 2026·View on GitHub·

This action fetches secrets from [Secret Manager][sm] and makes them available to later build steps via outputs. This is useful when you want Secret Manager to be the source of truth for secrets in your organization, but you need access to those secrets in build steps. The project is written primarily in TypeScript, distributed under the Apache License 2.0 license, first published in 2020. Key topics include: actions, gcp, github-actions, google-cloud, google-cloud-platform.

Latest release: v3.0.0
September 3, 2025View Changelog →

get-secretmanager-secrets

This action fetches secrets from Secret Manager and makes them available
to later build steps via outputs. This is useful when you want Secret Manager to
be the source of truth for secrets in your organization, but you need access to
those secrets in build steps.

Secrets that are successfully fetched are set as output variables and can be
used in subsequent actions. After a secret is accessed, its value is added to
the mask of the build to reduce the chance of it being printed or logged by
later steps.

This is not an officially supported Google product, and it is not covered by a
Google Cloud support contract. To report bugs or request features in a Google
Cloud product, please contact Google Cloud
support.

Prerequisites

  • This action requires Google Cloud credentials that are authorized to access
    the secrets being requested. See Authorization for more
    information.

  • This action runs using Node 20. If you are using self-hosted GitHub Actions
    runners, you must use a runner
    version     that supports this
    version or newer.

Usage

yaml
jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v3'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v3'
      with:
        secrets: |-
          token:my-project/docker-registry-token

    # Example of using the output
    - id: 'publish'
      uses: 'foo/bar@v1'
      env:
        TOKEN: '${{ steps.secrets.outputs.token }}'

Inputs

<!-- BEGIN_AUTOGEN_INPUTS -->

  • <a name="__input_secrets"></a><a href="#user-content-__input_secrets"><code>secrets</code></a>: (Required) List of secrets to access and inject into the environment. These are
    comma-separated or newline-separated OUTPUTNAME:SECRET. Output names or
    secret names that contain separators must be escaped with a backslash
    (e.g. \, or \\n) unless quoted. Any leading or trailing whitespace is
    trimmed unless values are quoted.

    yaml
    secrets: |-
  output1:my-project/my-secret1
  output2:my-project/my-secret2

    Secrets can be referenced using the following formats:

    text
    # Long form
projects/<project-id>/secrets/<secret-id>/versions/<version-id>

# Long form - "latest" version
projects/<project-id>/secrets/<secret-id>

# Short form
<project-id>/<secret-id>/<version-id>

# Short form - "latest" version
<project-id>/<secret-id>

  • <a name="__input_min_mask_length"></a><a href="#user-content-__input_min_mask_length"><code>min_mask_length</code></a>: (Optional, default: 4) Minimum line length for a secret to be masked. Extremely short secrets
    (e.g. { or a) can make GitHub Actions log output unreadable. This is
    especially important for multi-line secrets, since each line of the secret
    is masked independently.

  • <a name="__input_export_to_environment"></a><a href="#user-content-__input_export_to_environment"><code>export_to_environment</code></a>: (Optional) Make the fetched secrets additionally available as environment variables.

  • <a name="__input_encoding"></a><a href="#user-content-__input_encoding"><code>encoding</code></a>: (Optional, default: utf8) Encoding in which secrets will be exported into outputs (and environment
    variables if export_to_environment is true). For secrets that cannot be
    represented in text, such as encryption key bytes, choose an encoding that
    has a safe character such as base64 or hex. For more information about
    available encoding types, please see the Node.js Buffer and character
    encodings    .

  • <a name="__input_universe"></a><a href="#user-content-__input_universe"><code>universe</code></a>: (Optional, default: googleapis.com) The Google Cloud universe to use for constructing API endpoints. The
    default universe is "googleapis.com", which corresponds to
    https://cloud.google.com. Trusted Partner Cloud and Google Distributed
    Hosted Cloud should set this to their universe address.

<!-- END_AUTOGEN_INPUTS -->

Outputs

<!-- BEGIN_AUTOGEN_OUTPUTS -->

  • <a name="__output_secrets"></a><a href="#user-content-__output_secrets"><code>secrets</code></a>: Each secret is prefixed with an output name. The secret's resolved access
    value will be available at that output in future build steps. For example:

    yaml
    jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v3'
      with:
        secrets: |-
          token:my-project/docker-registry-token

    will be available in future steps as the output:

    text
    steps.secrets.outputs.token
<!-- END_AUTOGEN_OUTPUTS -->

Authorization

There are a few ways to authenticate this action. The caller must have
permissions to access the secrets being requested.

Via google-github-actions/auth

Use google-github-actions/auth
to authenticate the action. You can use Workload Identity Federation or
traditional Service Account Key JSON authentication.

yaml
jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v4'

    - id: 'auth'
      uses: 'google-github-actions/auth@v3'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v3'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud,
you can leverage the Application Default Credentials of the instance. This will
authenticate requests as the service account attached to the instance. This
only works using a custom runner hosted on GCP.

yaml
jobs:
  job_id:
    steps:
    - id: 'secrets'
      uses: 'google-github-actions/get-secretmanager-secrets@v3'

The action will automatically detect and use the Application Default
Credentials.

Contributors

Showing top 9 contributors by commit count.

dependabot[bot]

dependabot[bot]

84 commits

sethvargo

sethvargo

58 commits

google-github-actions-bot

google-github-actions-bot

47 commits

bharathkkb

bharathkkb

9 commits

verbanicm

verbanicm

8 commits

averikitsch

averikitsch

4 commits

danBamikiya

danBamikiya

1 commits

glasser

glasser

1 commits

codiophile

codiophile

1 commits

View all contributors on GitHub →

This article is auto-generated from google-github-actions/get-secretmanager-secrets via the GitHub API.Last fetched: 6/16/2026