Secure GitHub Actions secrets with HashiCorp Vault

GitHub Actions has native OIDC token issuance built into the platform. Jobs can request a signed JWT from GitHub's OIDC provider when the workflow grants id-token: write permission. The token contains claims that identify what is running, including the repository, branch or tag reference, deployment environment, and workflow file.

Architecture

The action-to-Vault authentication flow is based on GitHub-issued OIDC tokens:

Runner requests a JWT from GitHub's OIDC provider (token.actions.githubusercontent.com) — requires id-token: write declared on the job
GitHub issues a JWT containing claims for the repository, branch, environment, and workflow file
Runner sends the JWT to Vault's JWT auth endpoint
Vault fetches signing keys from GitHub's shared OIDC discovery URL and validates the token signature
Vault evaluates bound_claims — repository, environment, ref, or job_workflow_ref — against the configured role
Vault issues a short-lived token scoped to the policies attached to the matching role

The runner uses the Vault token to retrieve the secrets authorized for that role.

Diagram showing OIDC authentication flow between GitHub Actions and Vault

Runner hosting and auth method selection

The right auth method depends on where GitHub Actions runners execute. JWT/OIDC auth works for all runner types because GitHub issues an OIDC token for any job with id-token: write permission, regardless of the underlying infrastructure. However, when jobs run on infrastructure you control, additional auth methods become available that can provide stronger identity guarantees or remove the dependency on reaching GitHub's OIDC endpoint.

GitHub-hosted runners — JWT/OIDC is the only practical option. You do not control the underlying infrastructure, so there is no instance or pod identity to leverage.
Self-hosted runners on Kubernetes (Actions Runner Controller) — Kubernetes auth is available in addition to JWT. The runner pod's service account token is verified directly by the cluster API, independent of GitHub.
Self-hosted runners on AWS, Azure, or GCP — Cloud provider auth methods (AWS IAM, Azure Managed Identity, GCP IAM) are available. The runner instance already has a platform identity that Vault can validate against the cloud provider's API — no credential to provision or rotate.
Self-hosted runners on bare metal or air-gapped environments — AppRole with response wrapping, or TLS certificate auth for persistent runner fleets. In air-gapped environments where GitHub's OIDC endpoint (token.actions.githubusercontent.com) is unreachable, AppRole becomes the required fallback.

Authentication options

Because GitHub Actions has native OIDC token issuance, use JWT/OIDC auth for all GitHub-hosted runners and internet-connected self-hosted runners. GitHub's per-job OIDC tokens are the purpose-built mechanism for the Vault integration. The tokens provide the following benefits:

No long-lived, static credentials
Fine-grained bound_claims that can restrict authentication to a specific repository, branch, deployment environment, or workflow file

The hashicorp/vault-action GitHub Action wraps the OIDC exchange and secret retrieval into a single workflow step. The security controls live on the Vault side, in how roles bind to GitHub's JWT claims — not in GitHub itself.

Depending on your use case, there are additional auth methods that may be appropriate for GitHub Actions workflows in your environment. For example, if using self-hosted runners on Kubernetes managed by Actions Runner Controller, use the Kubernetes auth method. The pod's service account token is more authoritative than the GitHub JWT in that context and doesn't require the runner to reach GitHub's OIDC endpoint.

The following table summarizes when each auth method fits best.

Auth method	Security posture	Credential lifecycle	Best suited for
JWT / OIDC	High; per-job identity bound to GitHub repository, environment, and workflow metadata	Token issued per job by GitHub, no rotation needed	GitHub-hosted runners and internet-connected self-hosted runners
Cloud provider auth methods	Highest for cloud-hosted runners; identity is the platform infrastructure itself	Managed by cloud provider; no rotation required	Self-hosted runners on EC2, Azure VMs, or GCE instances with an assigned instance identity
Kubernetes	Highest for in-cluster; service account token verified directly by the cluster API	Short-lived projected service account token, auto-rotated by Kubernetes	Self-hosted runners managed by Actions Runner Controller on Kubernetes
TLS Certificate	High; mutual authentication	Certificate with defined expiry; requires rotation process	Long-lived, persistent runner fleets where mTLS is part of the existing security posture
AppRole	Moderate; requires secure secret ID delivery	Secret ID is single-use with response wrapping; RoleID is long-lived	Air-gapped self-hosted runners where neither cloud identity nor JWT is available

JWT auth is the right choice for most GitHub Actions workflows, especially if using GitHub-hosted runners or self-hosted runners that can access GitHub's OIDC endpoint.

GitHub's OIDC token contains a rich set of claims that Vault can use as binding conditions, including:

Claim	Example value	Use for
`sub`	`repo:org/repo:environment:production/main`	Restrict to specific repository and branch
`repository`	`org/repo`	Restrict to specific repository
`environment`	`production`	Restrict to specific deployment environment
`ref`	`refs/heads/main`	Restrict to specific branch
`job_workflow_ref`	`org/repo/.github/workflows/deploy.yml`	Restrict to specific workflow file

Role configuration

The Vault role's bound_claims are where you translate these into access controls. An unconstrained role that accepts any JWT from GitHub's OIDC issuer is like giving every repository in your organization access to those secrets. Use bound_subject for exact matches, or bound_claims with bound_claims_type: glob for pattern matching.

# Vault role — scoped to a specific repo and deployment environment
# bound_subject encodes: repo identity + environment context
vault write auth/jwt/role/github-actions-deploy \
  role_type=jwt \
  bound_audiences="https://github.com/your-org" \
  bound_subject="repo:your-org/your-repo:environment:production" \
  user_claim=repository \
  token_policies=deploy-production-policy \
  ttl=15m

The role binds Vault access to a specific repository and deployment environment. Vault then issues a short-lived token only when the workflow presents the expected GitHub identity.

Workflow configuration

The workflow requires id-token: write permission to request a JWT from GitHub's OIDC provider. Scope this to the specific job that needs Vault access rather than the entire workflow — granting it at the workflow level gives every job the ability to request OIDC tokens.

jobs:
  deploy:
    runs-on: ubuntu-latest
    # Scope permissions to this job only, not the whole workflow
    permissions:
      id-token: write   # Required: allows this job to request a GitHub OIDC token
      contents: read
    steps:
      - uses: actions/checkout@v4

      - name: Retrieve secrets from Vault
        uses: hashicorp/vault-action@v3
        with:
          url: https://vault.example.com
          caCertificate: ${{ secrets.VAULT_CA_CERT }}
          method: jwt
          role: github-actions-deploy
          # jwtGitHubAudience customizes the aud claim — coordinate with Vault team
          # if you change this from the default
          secrets: |
            secret/data/ci/production/db password | DB_PASSWORD ;
            secret/data/ci/production/api key | API_KEY

The workflow requests a GitHub OIDC token only for the job that needs Vault access. The Vault GitHub Action then exchanges that token for a Vault token and retrieves only the secrets required for the deployment.

When self-hosted GitHub Actions runners execute on cloud infrastructure, the instance already has a platform identity that Vault can validate against the cloud provider's API. This avoids storing cloud credentials in GitHub to bootstrap Vault login.

Self-hosted runners on EC2 instances or ECS tasks with an IAM role attached can authenticate to Vault using the AWS auth method. Vault calls AWS STS to validate the instance or task role identity. No credential needs to be provisioned on the runner.

Role configuration

Bind the Vault role to the specific IAM role ARN attached to your runner instances. The iam auth type is preferred over ec2 — it works for both EC2 and ECS and validates against the assumed-role ARN.

# Vault role bound to the IAM role attached to GitHub Actions runner instances
vault write auth/aws/role/github-runner \
  auth_type=iam \
  bound_iam_principal_arn=arn:aws:iam::123456789012:role/github-runner-role \
  token_policies=github-runner-policy \
  ttl=1h

The role binds Vault authentication to the IAM role attached to the runner. Vault issues a token only when the runner proves that AWS identity.

Workflow configuration

jobs:
  build:
    runs-on: self-hosted  # EC2 instance with IAM role attached
    steps:
      - name: Retrieve secrets via AWS IAM auth
        uses: hashicorp/vault-action@v3
        with:
          url: https://vault.example.com
          method: aws
          role: github-runner
          secrets: |
            secret/data/ci/build/registry password | REGISTRY_PASSWORD

The runner authenticates with its AWS identity — no credential needs to be stored in GitHub. If Vault is configured with iam_server_id_header_value, add the matching awsIamServerId input to the vault-action step.

Self-hosted runners on Azure VMs or Azure Container Instances with a managed identity assigned can authenticate to Vault using the Azure auth method. Vault validates the identity against the Azure Instance Metadata Service (IMDS). No credential needs to be provisioned on the runner.

Role configuration

Bind the Vault role to the managed identity's service principal ID. This ensures only runners with that specific managed identity can authenticate.

# Vault role bound to the managed identity assigned to GitHub Actions runner VMs
vault write auth/azure/role/github-runner \
  token_policies=github-runner-policy \
  bound_subscription_ids=your-subscription-id \
  bound_resource_groups=your-resource-group \
  bound_service_principal_ids=your-managed-identity-object-id \
  ttl=1h

The role binds Vault authentication to the managed identity assigned to the runner. Vault issues a token only when the runner presents the expected Azure identity.

Workflow configuration

jobs:
  build:
    runs-on: self-hosted  # Azure VM with managed identity assigned
    steps:
      - name: Retrieve secrets via Azure Managed Identity auth
        run: |
          AZURE_JWT=$(curl -s -H "Metadata: true" \
            "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" \
            | jq -r '.access_token')

          # bound_service_principal_ids is set on the role — no VM metadata required
          export VAULT_TOKEN=$(vault write -field=token auth/azure/login \
            role=github-runner \
            jwt=$AZURE_JWT)

          vault kv get -field=password secret/ci/build/registry \
            | echo "REGISTRY_PASSWORD=$(cat)" >> $GITHUB_ENV

The runner retrieves an Azure access token from IMDS, exchanges it for a Vault token, and reads only the secret needed for the build.

Self-hosted runners on Google Compute Engine instances with a service account attached can authenticate to Vault using the GCP auth method. Vault validates the runner's identity against Google Cloud. Use an iam role type to bind authentication to the attached service account identity. No credential needs to be provisioned on the runner.

Role configuration

Bind the Vault role to the specific GCP service account email attached to your runner instances.

# Vault role bound to the service account attached to GitHub Actions runner instances
vault write auth/gcp/role/github-runner \
  type=iam \
  token_policies=github-runner-policy \
  bound_service_accounts=github-runner@your-project.iam.gserviceaccount.com \
  ttl=1h

The role binds Vault authentication to the Google Cloud service account attached to the runner. Vault issues a token only when the runner presents that GCP identity.

Workflow configuration

jobs:
  build:
    runs-on: self-hosted  # GCE instance with service account attached
    steps:
      - name: Retrieve secrets via GCP IAM auth
        run: |
          export VAULT_TOKEN=$(vault login -method=gcp -token-only \
            role=github-runner)

          vault kv get -field=password secret/ci/build/registry \
            | echo "REGISTRY_PASSWORD=$(cat)" >> $GITHUB_ENV

The runner logs in with its Google Cloud identity instead of using a bootstrap credential stored in GitHub. The resulting Vault token is then used only for the required secret read.

When self-hosted runners are managed by Actions Runner Controller on Kubernetes, each runner pod has a projected service account token that Vault can validate directly against the Kubernetes API. This is more authoritative than the GitHub JWT in that environment and doesn't introduce a dependency on reaching GitHub's OIDC endpoint from within the cluster.

Role configuration

The Vault role binds to the runner's service account and namespace, following the same pattern as any other Kubernetes workload.

# Vault role for ARC-managed runner pods
vault write auth/kubernetes/role/github-runner \
  bound_service_account_names=arc-runner-sa \
  bound_service_account_namespaces=arc-runners \
  token_policies=github-runner-policy \
  ttl=1h

Workflow configuration

The workflow doesn't need to request a JWT from GitHub's OIDC provider in this case. Instead, the Vault GitHub Action can authenticate using the Kubernetes auth method directly from the runner pod, which has the necessary service account token mounted by Kubernetes.

jobs:
  build:
    runs-on: self-hosted  # ARC-managed runner on Kubernetes
    steps:
      - name: Retrieve secrets via Kubernetes auth
        uses: hashicorp/vault-action@v3
        with:
          url: https://vault.example.com
          method: kubernetes
          role: github-runner
          # kubernetesTokenPath defaults to the standard SA token path
          secrets: |
            secret/data/ci/build/registry password | REGISTRY_PASSWORD

The runner authenticates with the pod's projected service account token and retrieves only the secret required for the build. This keeps the trust boundary inside the Kubernetes cluster.

AppRole is appropriate when self-hosted runners operate in air-gapped environments where the GitHub OIDC endpoint (token.actions.githubusercontent.com) is unreachable.

Role configuration

The same response wrapping requirement applies here as elsewhere — delivering a raw secret_id to a pipeline often turns into a manually distributed bootstrap secret.

The secret_id should be issued by an external privileged process (an operator workflow, a secrets provisioning system, or a Vault Agent on the controller) and delivered to the runner as a single-use wrapping token.

# AppRole with tight constraints on secret_id lifecycle
vault write auth/approle/role/github-runner-airgapped \
  secret_id_ttl=10m \
  secret_id_num_uses=1 \
  token_ttl=1h \
  token_max_ttl=2h \
  token_policies=github-runner-policy

The AppRole configuration constrains bootstrap material to short-lived, single-use delivery and limits the Vault token lifetime for the job.

Workflow configuration

The workflow must include steps to unwrap the secret_id and authenticate with Vault using the AppRole method.

jobs:
  build:
    runs-on: self-hosted  # Air-gapped runner
    steps:
      - name: Retrieve secrets via AppRole
        uses: hashicorp/vault-action@v3
        with:
          url: https://vault.example.com
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          # wrapping token injected by external provisioning process
          # vault-action unwraps it automatically when wrapped=true
          secretId: ${{ secrets.VAULT_SECRET_ID_WRAPPING_TOKEN }}
          wrapped: true
          secrets: |
            secret/data/ci/build/registry password | REGISTRY_PASSWORD

The workflow unwraps the single-use bootstrap material and exchanges it for a short-lived Vault token. The job then uses that token only for the secret reads authorized by the AppRole policy.

TLS cert auth applies when self-hosted runners are long-lived, persistent build agents rather than ephemeral pods.

Role configuration

Vault validates the client certificate presented during the connection, with the certificate's CN or SANs serving as the identity binding. Certificate lifecycle management for these runners should itself use Vault's PKI secrets engine to keep rotation automated.

# Vault TLS cert role for a named runner fleet
vault write auth/cert/certs/github-runner-fleet \
  display_name=github-runner-fleet \
  certificate=@/path/to/runner-fleet-ca.crt \
  allowed_common_names="runner-*.build.example.com" \
  token_policies=github-runner-fleet-policy \
  ttl=4h

Workflow configuration

The workflow authenticates to Vault using the client certificate provisioned on the runner. The pattern assumes the runner's TLS cert is already managed and rotated by Vault's PKI secrets engine. The workflow needs to reference the cert and key from GitHub Secrets or another secure store.

jobs:
  build:
    runs-on: self-hosted  # Persistent runner with managed TLS cert
    steps:
      - name: Retrieve secrets via TLS cert auth
        uses: hashicorp/vault-action@v3
        with:
          url: https://vault.example.com
          method: cert
          # Certificate and key path provisioned on runner by Vault PKI engine
          clientKey: ${{ secrets.RUNNER_TLS_KEY }}
          clientCertificate: ${{ secrets.RUNNER_TLS_CERT }}
          secrets: |
            secret/data/ci/build/signing key | SIGNING_KEY

The runner authenticates with its client certificate and retrieves only the secret needed for the signing workflow. This pattern fits persistent runners that already participate in an mTLS-based operating model.

Policy

The Vault policy for any role should follow least privilege. A pipeline that deploys to production should not be able to read staging secrets, and a staging pipeline should not be able to read production secrets.

An example Vault policy for a production deployment pipeline might look like this:

# Vault policy: scope to exactly the paths this pipeline needs
path "secret/data/ci/production/db" {
  capabilities = ["read"]
}

# Deny access to everything else implicitly

The policy limits the workflow to the exact production secret path it needs. Use separate policies for other environments so unrelated workflows do not inherit broader access.

Security considerations

There are several security considerations you need to align with your organizational risk tolerance and operational constraints when designing your GitHub Actions secrets management strategy:

JWT role constraints: Bind Vault roles as tightly as possible with bound_subject, bound_claims, or both. A role that accepts any valid token from GitHub's OIDC issuer can allow unintended repositories or workflows to authenticate.
Job-level token permissions: Grant id-token: write only to the job that needs Vault access. If you grant it at the workflow level, every job in that workflow can request an OIDC token.
Workflow-level scoping: In repositories with multiple teams or deployment targets, bind roles to specific workflow files with job_workflow_ref. Without that restriction, any workflow in the repository with id-token: write may be able to authenticate to a repository-scoped role.

For a list of additional security considerations, refer to the CI/CD security considerations page.

Integrate HCP Vault Radar

Before migrating to Vault-based secrets management, Vault Radar can scan existing GitHub Actions workflow files and connected repositories for credentials stored as hardcoded values. This is particularly important in organizations that have accumulated years of workflows with credentials stored across multiple GitHub organizations, environments, and secret scopes.

After migration, Vault Radar can monitor repositories continuously for new secret introductions — catching cases where developers hardcode credentials that should be going through Vault.

Refer to the HCP Vault Radar quick start tutorials to learn about HCP Vault Radar.

Use Vault secrets sync for GitHub Secrets

Vault Secrets Sync provides an alternative solution for managing GitHub Actions pipeline secrets that is useful in cases where using the GitHub OIDC provider is not a feasible approach. Vault Secrets Sync simplifies configuration and lets you to select specific secrets or secret paths for synchronization from Vault to GitHub as repository or environment secrets.

When you use this approach you gain several benefits:

Centralized policy and audit controls
Repository-level access control
No need to include authentication logic in your workflow
Compatibility with all runner types without extra configuration
Synchronization to GitHub when you rotate secrets in Vault
Access to secrets through familiar GitHub Actions syntax without needing to learn Vault details

The Secrets Sync approach has the following limitations:

Supports only static key/value (KV) Vault secrets engines.
Copies secrets into GitHub instead of just-in-time access.
Can require extra management of GitHub Personal Access Tokens or App Tokens for authentication.

The recommended approach, when possible, is to access Vault directly from your GitHub Actions workflows using the Vault GitHub Action and GitHub's OIDC tokens.

Direct access provides the strongest security posture and the best secrets management experience. Use Vault Secrets Sync for GitHub Secrets when the direct integration is not feasible due to technical constraints or organizational policies.

HashiCorp resources

Vault

Read Retrieve Vault secrets from GitHub Actions for a validated architecture pattern for GitHub Actions and Vault.
Watch Using OIDC With HashiCorp Vault and GitHub Actions for a video walkthrough of the OIDC-based integration.
Watch Building Scalable Enterprise Secrets Management with GitHub OIDC and HashiCorp Vault for enterprise-scale patterns for GitHub OIDC and Vault.

Vault Secrets Sync

Watch Developer's Guide to HCP Vault, Part 3: Secrets sync for an introduction to syncing Vault secrets to GitHub Actions.
Watch Vault Enterprise secrets sync (beta) for an overview of the Vault Enterprise secrets sync feature.

Vault GitHub Action

Read Vault GitHub Action to install and configure the official HashiCorp Vault GitHub Action.
Read the Vault GitHub Action repository for source code and configuration options.
Follow the Automate workflows with Vault GitHub actions tutorial to integrate Vault into GitHub Actions workflows.
Read Integrate with GitHub Actions to connect HCP Vault Secrets to GitHub Actions.
Read Learn Vault GitHub Actions for example code to get started with the Vault GitHub Action.
Watch Secure Developer Workflows with Vault & GitHub Actions for a video demonstration of securing developer workflows with Vault.
Watch Secure GitOps Workflows with GitHub Actions and HashiCorp Vault for a GitOps-focused walkthrough of Vault and GitHub Actions.

External resources

Read Configuring OpenID Connect in HashiCorp Vault for GitHub's official documentation on OIDC configuration for Vault.
Read HashiCorp Vault Secrets Sync Demo for example code demonstrating Vault secrets sync with GitHub.
Read HashiCorp Vault GitHub Secrets Sync with Terraform to learn how to manage Vault secrets sync with Terraform.
Read Push button security for your GitHub Actions for HashiCorp's guide to securing GitHub Actions pipelines.
Read How to Use HashiCorp Vault Action for a practical guide to the Vault GitHub Action.
Read Vault GitHub Actions example for a complete example workflow using the Vault GitHub Action.
Watch Automate Workflows w/ HashiCorp Vault GitHub Actions for a video demonstration of automating workflows with the Vault GitHub Action.

Next steps

In this section of managing CI/CD secrets, you learned how to bind GitHub Actions workload identity to Vault auth methods and how to scope secrets to specific repositories, environments, and workflow files. Secure GitHub Actions secrets with HashiCorp Vault is part of the Secure systems pillar.