{"id":23130385,"url":"https://github.com/andreaso/vault-oidc-ssh-cert-action","last_synced_at":"2025-10-07T03:36:24.965Z","repository":{"id":38012470,"uuid":"500893016","full_name":"andreaso/vault-oidc-ssh-cert-action","owner":"andreaso","description":"Action to get short-lived SSH client certificates from Vault alt. OpenBao","archived":false,"fork":false,"pushed_at":"2025-09-04T14:29:40.000Z","size":75,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-09-23T22:39:55.810Z","etag":null,"topics":["github","openbao","ssh","vault"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andreaso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-06-07T15:14:56.000Z","updated_at":"2025-09-04T14:29:44.000Z","dependencies_parsed_at":"2024-03-24T19:27:01.792Z","dependency_job_id":"1b336dd6-08ec-4524-8206-86dbd4aec541","html_url":"https://github.com/andreaso/vault-oidc-ssh-cert-action","commit_stats":{"total_commits":13,"total_committers":1,"mean_commits":13.0,"dds":0.0,"last_synced_commit":"5664c725713de5f3b8a6f993b8eca85878ff9358"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/andreaso/vault-oidc-ssh-cert-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreaso%2Fvault-oidc-ssh-cert-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreaso%2Fvault-oidc-ssh-cert-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreaso%2Fvault-oidc-ssh-cert-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreaso%2Fvault-oidc-ssh-cert-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andreaso","download_url":"https://codeload.github.com/andreaso/vault-oidc-ssh-cert-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreaso%2Fvault-oidc-ssh-cert-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278716938,"owners_count":26033535,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","openbao","ssh","vault"],"created_at":"2024-12-17T10:14:18.437Z","updated_at":"2025-10-07T03:36:24.959Z","avatar_url":"https://github.com/andreaso.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vault OIDC SSH Certificate Action\n\nThis action uses [GitHub's OIDC support][1] to authenticate towards a\nHashiCorp Vault instance or an [OpenBao][2] instance, and to request a\n(short-lived) SSH client certificate from it.\n\n\n## Example Usage\n\n```yaml\njobs:\n deploy:\n permissions:\n contents: read\n id-token: write\n # ...\n steps:\n # ...\n - name: Generate SSH client certificate\n if: github.ref == 'refs/heads/main'\n id: ssh_cert\n uses: andreaso/vault-oidc-ssh-cert-action@v2.0\n with:\n vault_server: https://vault.example.com:8200\n jwt_audience: vault.example.com\n jwt_oidc_backend_path: github-oidc\n jwt_oidc_role: example-user\n ssh_backend_path: ssh-client-ca\n ssh_role: github-actions-example\n\n - name: Deploy site\n if: github.ref == 'refs/heads/main'\n run: \u003e\n rsync -e \"ssh -i '$SSH_KEY_PATH'\"\n --verbose --recursive --delete-after --perms --chmod=D755,F644\n build/ deployer@site.example.net:/var/www/site/\n env:\n SSH_KEY_PATH: ${{ steps.ssh_cert.outputs.key_path }}\n```\n\nDo note that all client certification configuration is expected to\nhappen on the Vault end, given that that is where all the limitations\ncan be enforced.\n\n\n## Automated cleanup\n\nAll the action's writes are to the `${{ runner.temp }}`\ndirectory. Hence as soon as the job is completed both the SSH\ncertificate and its private key will be automatically removed, even in\nthe case of a non-ephemeral runner.\n\n\n## Corresponding Configuration\n\n### HashiCorp Vault\n\n```terraform\nresource \"vault_jwt_auth_backend\" \"github\" {\n path = \"github-oidc\"\n oidc_discovery_url = \"https://token.actions.githubusercontent.com\"\n bound_issuer = \"https://token.actions.githubusercontent.com\"\n}\n\nresource \"vault_mount\" \"ssh_ca\" {\n path = \"ssh-client-ca\"\n type = \"ssh\"\n}\n\nresource \"vault_ssh_secret_backend_ca\" \"ssh_ca\" {\n backend = vault_mount.ssh_ca.path\n key_type = \"ed25519\"\n generate_signing_key = true\n}\n```\n\n```terraform\nresource \"vault_ssh_secret_backend_role\" \"example\" {\n name = \"github-actions-example\"\n backend = vault_mount.ssh_ca.path\n max_ttl = \"900\"\n key_type = \"ca\"\n allow_user_certificates = true\n allow_host_certificates = false\n allowed_users = \"github-deploy@example.com\"\n default_user = \"github-deploy@example.com\"\n default_extensions = {}\n\n allowed_user_key_config {\n type = \"ed25519\"\n lengths = [0]\n }\n}\n\ndata \"vault_policy_document\" \"example\" {\n rule {\n path = \"${vault_mount.ssh_ca.path}/sign/${vault_ssh_secret_backend_role.example.name}\"\n capabilities = [\"update\"]\n }\n}\n\nresource \"vault_policy\" \"example\" {\n name = \"example-policy\"\n policy = data.vault_policy_document.example.hcl\n}\n\nresource \"vault_jwt_auth_backend_role\" \"example\" {\n backend = vault_jwt_auth_backend.github.path\n role_type = \"jwt\"\n role_name = \"example-user\"\n token_max_ttl = \"300\"\n token_policies = [vault_policy.example.name]\n user_claim = \"actor\"\n bound_audiences = [\"vault.example.com\"]\n bound_claims = {\n repository = \"OWNER/REPO-NAME\",\n ref = \"refs/heads/main\",\n }\n}\n```\n\n```terraform\noutput \"ssh_ca\" {\n value = vault_ssh_secret_backend_ca.ssh_ca.public_key\n}\n```\n\n### OpenSSH\n\n```ssh-config\n# /etc/ssh/sshd_config\n# ...\nTrustedUserCAKeys /etc/ssh/sshd_user_ca.pub\nAuthorizedPrincipalsFile /etc/ssh/user_principals/%u\n```\n\n```text\n# /etc/ssh/sshd_user_ca.pub\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...\n```\n\n```text\n# /etc/ssh/user_principals/deployer\ngithub-deploy@example.com\n```\n\n\n[1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect\n[2]: https://openbao.org/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandreaso%2Fvault-oidc-ssh-cert-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandreaso%2Fvault-oidc-ssh-cert-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandreaso%2Fvault-oidc-ssh-cert-action/lists"}