Utiliser Vault depuis vos pipelines Gitlab CI | https://lightcode.fr/article/vault-gitlab/

.gitlab-ci.yml

demo:
  image: vault:1.6.0
  script:
    - export VAULT_ADDR=https://vault.example.com
    - export VAULT_TOKEN="$(vault write -field=token auth/gitlab-jwt/login role=read-secret-demo jwt=$CI_JOB_JWT)"
    - USERNAME="$(vault kv get -field=username kv/demo/hello)"
    - PASSWORD="$(vault kv get -field=password kv/demo/hello)"
    - echo "The secret is ${USERNAME}:${PASSWORD}"
  only:
    refs: ["master"]

main.tf

# Input variables
variable vault_url {
  type        = string
  description = "URL to Vault (example: https://vault.example.com)"
}
variable gitlab_url {
  type        = string
  description = "URL to Gitlab (example: https://gitlab.example.com)"
}
variable gitlab_host {
  type        = string
  description = "Host of Gitlab (example: gitlab.example.com)"
}
variable gitlab_project_id {
  type        = string
  description = "ID of the Gitlab project"
}

# Enable JWT backend
resource "vault_auth_backend" "jwt" {
  type = "jwt"
}

# Configure JWT backend with the Gitlab URL
resource "vault_jwt_auth_backend" "gitlab" {
  path         = "gitlab-jwt"
  jwks_url     = "${var.gitlab_url}/-/jwks"
  bound_issuer = var.gitlab_host
}

# Role for our demo pipeline
resource "vault_jwt_auth_backend_role" "read_secret_demo" {
  backend        = vault_jwt_auth_backend.gitlab.path
  role_name      = "read-secret-demo"
  role_type      = "jwt"
  token_policies = [vault_policy.read_secret_demo.name]
  user_claim     = "user_email"
  bound_claims = {
    project_id = var.gitlab_project_id
    ref        = "master"
    ref_type   = "branch"
  }
}

# Policy to allow our role to read secrets in kv/demo/*
resource "vault_policy" "read_secret_demo" {
  name   = "read-secret-demo"
  policy = <<EOT
path "kv/demo/*" {
  capabilities = ["read"]
}
EOT
}

# Demo secret in the KV store
resource "vault_generic_secret" "demo_secret" {
  path      = "kv/demo/hello"
  data_json = <<EOT
{
  "username": "foo",
  "password": "bar"
}
EOT
}