Created
December 6, 2021 14:15
-
-
Save gitrgoliveira/40147508df40255fef35240eddb653ba to your computer and use it in GitHub Desktop.
setting up vault for GitHub Action OIDC auth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export VAULT_ADDR="https://xxxx:8200" | |
| export VAULT_NAMESPACE="admin" | |
| export VAULT_TOKEN=xxx | |
| tee vault-action.hcl <<EOF | |
| path "kv/data/ci" { | |
| capabilities = ["read"] | |
| } | |
| EOF | |
| ## KV v2 backend was pre-created | |
| vault kv put kv/ci app_secret=a_secret | |
| vault policy write vault-action vault-action.hcl | |
| vault auth enable jwt | |
| vault write auth/jwt/config \ | |
| oidc_discovery_url="https://token.actions.githubusercontent.com" \ | |
| bound_issuer="https://token.actions.githubusercontent.com" \ | |
| default_role="demo" | |
| vault write auth/jwt/role/demo \ | |
| role_type="jwt" \ | |
| bound_subject="repo:gitrgoliveira/vault-action-exampleapp:ref:refs/*" \ | |
| bound_audiences="https://github.com/gitrgoliveira" \ | |
| user_claim="workflow" \ # this will define the entity alias | |
| policies="vault-action" \ | |
| ttl=1h | |
| vault read auth/jwt/role/demo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment