Last active
March 14, 2024 10:30
-
-
Save lightcode/57af0af8542a04af84e1fe97187d5d85 to your computer and use it in GitHub Desktop.
Utiliser Vault depuis vos pipelines Gitlab CI | https://lightcode.fr/article/vault-gitlab/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
demo: | |
image: vault:1.6.0 | |
script: | |
- export VAULT_ADDR=https://vault.example.com | |
- export VAULT_TOKEN="$(vault write -field=token auth/gitlab-jwt/login role=read-secret-demo jwt=$CI_JOB_JWT)" | |
- USERNAME="$(vault kv get -field=username kv/demo/hello)" | |
- PASSWORD="$(vault kv get -field=password kv/demo/hello)" | |
- echo "The secret is ${USERNAME}:${PASSWORD}" | |
only: | |
refs: ["master"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Input variables | |
variable vault_url { | |
type = string | |
description = "URL to Vault (example: https://vault.example.com)" | |
} | |
variable gitlab_url { | |
type = string | |
description = "URL to Gitlab (example: https://gitlab.example.com)" | |
} | |
variable gitlab_host { | |
type = string | |
description = "Host of Gitlab (example: gitlab.example.com)" | |
} | |
variable gitlab_project_id { | |
type = string | |
description = "ID of the Gitlab project" | |
} | |
# Enable JWT backend | |
resource "vault_auth_backend" "jwt" { | |
type = "jwt" | |
} | |
# Configure JWT backend with the Gitlab URL | |
resource "vault_jwt_auth_backend" "gitlab" { | |
path = "gitlab-jwt" | |
jwks_url = "${var.gitlab_url}/-/jwks" | |
bound_issuer = var.gitlab_host | |
} | |
# Role for our demo pipeline | |
resource "vault_jwt_auth_backend_role" "read_secret_demo" { | |
backend = vault_jwt_auth_backend.gitlab.path | |
role_name = "read-secret-demo" | |
role_type = "jwt" | |
token_policies = [vault_policy.read_secret_demo.name] | |
user_claim = "user_email" | |
bound_claims = { | |
project_id = var.gitlab_project_id | |
ref = "master" | |
ref_type = "branch" | |
} | |
} | |
# Policy to allow our role to read secrets in kv/demo/* | |
resource "vault_policy" "read_secret_demo" { | |
name = "read-secret-demo" | |
policy = <<EOT | |
path "kv/demo/*" { | |
capabilities = ["read"] | |
} | |
EOT | |
} | |
# Demo secret in the KV store | |
resource "vault_generic_secret" "demo_secret" { | |
path = "kv/demo/hello" | |
data_json = <<EOT | |
{ | |
"username": "foo", | |
"password": "bar" | |
} | |
EOT | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment