{"id":43933018,"url":"https://github.com/digitalocean-labs/terraform-vault-github-oidc","last_synced_at":"2026-02-07T00:19:32.879Z","repository":{"id":37051659,"uuid":"475671902","full_name":"digitalocean-labs/terraform-vault-github-oidc","owner":"digitalocean-labs","description":"Terraform module to configure Vault for GitHub OIDC authentication from Action runners.","archived":false,"fork":false,"pushed_at":"2024-08-23T13:51:18.000Z","size":197,"stargazers_count":30,"open_issues_count":6,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-24T05:55:07.529Z","etag":null,"topics":["github-actions","hacktoberfest","oidc","secrets","secrets-management","terraform","vault"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/digitalocean-labs/github-oidc/vault/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/digitalocean-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"artis3n"}},"created_at":"2022-03-30T01:07:58.000Z","updated_at":"2025-06-18T19:29:06.000Z","dependencies_parsed_at":"2024-04-29T19:52:08.789Z","dependency_job_id":"ee89219f-cb6f-4c64-ad9b-b8a34e94f80e","html_url":"https://github.com/digitalocean-labs/terraform-vault-github-oidc","commit_stats":null,"previous_names":["digitalocean-labs/terraform-vault-github-oidc","digitalocean/terraform-vault-github-oidc"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/digitalocean-labs/terraform-vault-github-oidc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digitalocean-labs%2Fterraform-vault-github-oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digitalocean-labs%2Fterraform-vault-github-oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digitalocean-labs%2Fterraform-vault-github-oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digitalocean-labs%2Fterraform-vault-github-oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/digitalocean-labs","download_url":"https://codeload.github.com/digitalocean-labs/terraform-vault-github-oidc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/digitalocean-labs%2Fterraform-vault-github-oidc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29181326,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T23:15:33.022Z","status":"ssl_error","status_checked_at":"2026-02-06T23:15:09.128Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","hacktoberfest","oidc","secrets","secrets-management","terraform","vault"],"created_at":"2026-02-07T00:19:32.279Z","updated_at":"2026-02-07T00:19:32.869Z","avatar_url":"https://github.com/digitalocean-labs.png","language":"HCL","funding_links":["https://github.com/sponsors/artis3n"],"categories":[],"sub_categories":[],"readme":"# Terraform Module: Hashicorp Vault GitHub OIDC \u003c!-- omit in toc --\u003e\n\n![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/digitalocean/terraform-vault-github-oidc)\n[![OIDC Tests](https://github.com/digitalocean/terraform-vault-github-oidc/actions/workflows/oidc_test.yaml/badge.svg)](https://github.com/digitalocean/terraform-vault-github-oidc/actions/workflows/oidc_test.yaml)\n![GitHub](https://img.shields.io/github/license/digitalocean/terraform-vault-github-oidc)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6305/badge)](https://bestpractices.coreinfrastructure.org/projects/6305)\n![GitHub contributors](https://img.shields.io/github/contributors/digitalocean/terraform-vault-github-oidc)\n![GitHub last commit](https://img.shields.io/github/last-commit/digitalocean/terraform-vault-github-oidc)\n\nTerraform module to configure Vault for GitHub OIDC authentication from Action runners on GitHub.com or self-hosted GitHub Enterprise Server.\n\nOIDC authentication allows us to bind GitHub repositories (and subcomponents of a repository, such as a branch, ref, or environment)\nto a Vault role without needing to manage actual credentials that require a lifecycle system, integration into repo-level\nGitHub Secrets, or other organizational glue.\n\nExplore GitHub OIDC and HashiCorp Vault use cases with this hands-on workshop: \u003chttps://github.com/artis3n/course-vault-github-oidc\u003e.\n\nReference documents that help with understanding the process:\n- \u003chttps://www.digitalocean.com/blog/fine-grained-rbac-for-github-action-workflows-hashicorp-vault\u003e\n- \u003chttps://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault\u003e\n\nOnce OIDC authentication is configured on a Vault server via this module, a GitHub repository can leverage\n[hashicorp/vault-action](https://github.com/hashicorp/vault-action) to retrieve secrets from Vault with GitHub OIDC authentication.\nNo secrets or credential management needed!\n\ne.g.\n\n```yml\n- name: Import Secrets\n  uses: hashicorp/vault-action@v2\n  id: secrets\n  with:\n    exportEnv: false\n    url: https://\u003cyour-vault-URL\u003e\n    path: github-actions\n    method: jwt\n    role: \u003cvault_role_name\u003e\n    secrets: |\n      secret/data/foo/bar fi | MY_SECRET\n\n- name: Access secret\n  run: echo '${{steps.secrets.outputs.MY_SECRET }}' | my_command\n```\n\n- [Usage](#usage)\n  - [Examples](#examples)\n  - [Considerations for Enterprise Cloud organizations](#considerations-for-enterprise-cloud-organizations)\n  - [Variables](#variables)\n    - [oidc\\_bindings](#oidc_bindings)\n      - [oidc\\_bindings.audience](#oidc_bindingsaudience)\n      - [oidc\\_bindings.vault\\_role\\_name](#oidc_bindingsvault_role_name)\n      - [oidc\\_bindings.bound\\_subject](#oidc_bindingsbound_subject)\n      - [oidc\\_bindings.vault\\_policies](#oidc_bindingsvault_policies)\n      - [oidc\\_bindings.user\\_claim](#oidc_bindingsuser_claim)\n      - [oidc\\_bindings.additional\\_claims](#oidc_bindingsadditional_claims)\n      - [oidc\\_bindings.ttl](#oidc_bindingsttl)\n    - [default\\_ttl](#default_ttl)\n    - [default\\_user\\_claim](#default_user_claim)\n    - [oidc\\_auth\\_backend\\_path](#oidc_auth_backend_path)\n    - [github\\_identity\\_provider](#github_identity_provider)\n    - [token\\_type](#token_type)\n  - [Requirements](#requirements)\n  - [Providers](#providers)\n  - [Modules](#modules)\n  - [Resources](#resources)\n  - [Inputs](#inputs)\n  - [Outputs](#outputs)\n- [Authors](#authors)\n- [License](#license)\n\n# Usage\n\nThis module simplifies the creation of the JWT auth backend on Vault for this GitHub Action OIDC use case.\nThe module requires you to configure what repositories to bind to Vault roles and policies, and under what\nconditions the respective repository should be granted access.\nThis is encapsulated by the `oidc_bindings` variable.\n\n\u003e **Note**\n\u003e\n\u003e v2 of this module adopts Terraform 1.3's standardized support of [optional object type attributes](https://www.terraform.io/language/expressions/type-constraints#optional-object-type-attributes).\n\u003e Therefore, Terraform 1.3+ is required to use v2.0.0 or higher.\n\u003e\n\u003e Users with Terraform 1.2 or earlier can use v1.1.0 of this module with the [`module_variable_optional_attrs`](https://www.terraform.io/language/v1.2.x/expressions/type-constraints#experimental-optional-object-type-attributes) experimental Terraform feature enabled.\n\n## Examples\n\nTutorial/example repo: \u003chttps://github.com/artis3n/github-oidc-vault-example\u003e.\n\nYou can find several examples leveraging this module under `examples/`:\n- [Basic usage](/examples/simple-repo)\n- [Leveraging JSON files for distributed organization of repo bindings](/examples/json-files)\n- [Adding custom additional claims per OIDC binding](/examples/additional-claims)\n- [Leveraging this module on-prem with GitHub Enterprise Server](/examples/github-enterprise)\n\nBasic example - one repo, separating secrets access by nonprod and prod pipelines.\n\n```terraform\nmodule \"github-vault-oidc\" {\n  source = \"digitalocean/github-oidc/vault\"\n  version = \"~\u003e 2.1.0\"\n\n  oidc_bindings = [\n    {\n      audience : \"https://github.com/artis3n\",\n      vault_role_name : \"oidc-dev-role\",\n      bound_subject : \"repo:artis3n/github-oidc-vault-example:pull_request\",\n      vault_policies : [\n        vault_policy.dev.name,\n      ],\n    },\n    {\n      audience : \"https://github.com/artis3n\",\n      vault_role_name : \"oidc-deploy-role\",\n      bound_subject : \"repo:artis3n/github-oidc-vault-example:ref:refs/heads/main\",\n      vault_policies : [\n        vault_policy.deployment.name,\n      ],\n    },\n  ]\n}\n\nresource \"vault_policy\" \"dev\" {\n  name   = \"oidc-dev\"\n  policy = data.vault_policy_document.dev.hcl\n}\n\ndata \"vault_policy_document\" \"dev\" {\n  rule {\n    path         = \"secret/data/dev/foo\"\n    capabilities = [\"read\"]\n  }\n}\n\nresource \"vault_policy\" \"deployment\" {\n  name = \"oidc-deploy\"\n  policy = data.vault_policy_document.deployment.hcl\n}\n\ndata \"vault_policy_document\" \"deployment\" {\n  rule {\n    path         = \"secret/data/prod/bar\"\n    capabilities = [\"read\"]\n  }\n}\n```\n\n## Considerations for Enterprise Cloud organizations\n\nEnterprise Cloud organizations should strongly consider enabling the [Unique Token URL](https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#switching-to-a-unique-token-url) feature for their organization.\n\nIf they do so, they should set the `github_identity_provider` variable of this module to their enterprise's unique token URL.\n\n## Variables\n\n### oidc_bindings\n\nThis input variable must be a list of objects containing the following structure:\n\n```terraform\noidc_bindings = [\n  {\n    audience: '',\n    vault_role_name: '',\n    bound_subject: '',\n    vault_policies: [''],\n  }\n]\n```\n\nThere are additional, optional values you can include as well:\n\n```terraform\noidc_bindings = [\n  {\n    audience: '',\n    vault_role_name: '',\n    bound_subject: '',\n    vault_policies: [''],\n    # Optional below\n    user_claim: '',\n    additional_claims: [\n      {\n        x: '',\n      }\n    ],\n    ttl: 0,\n  }\n]\n```\n\nDescriptions for each parameter are below:\n\n#### oidc_bindings.audience\n\nBy default, the `audience` must be the URL of the repository owner (e.g. `https://github.com/digitalocean`).\n\nThe `audience` can be customized by configuring [whatever you'd like](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#requesting-the-access-token) and using the `jwtGithubAudience` parameter in\n[hashicorp/vault-action](https://github.com/hashicorp/vault-action).\nFor example, from an organizational or audit perspective, you may desire to establish a naming scheme such as `audience: \"\u003ccompany\u003e:\u003corg-unit\u003e:\u003cteam-name\u003e\"`, e.g. `digitalocean:security:product-security`.\n\n#### oidc_bindings.vault_role_name\n\nThe `vault_role_name` must be the name of the Vault role you wish to create on the JWT auth backend.\nEach Vault role should be configured for one repo subject - using the same Vault role with different configurations in the rest of\nthe parameters will cause this module to fail.\nThis is because you would otherwise silently overwrite the role configuration.\n\nYou may want to create multiple Vault roles for a single GitHub repository, e.g. a nonprod CI workflow that needs access\nto CI secrets, and a deployment workflow that publishes a release that needs production secrets.\n\n#### oidc_bindings.bound_subject\n\nThe `bound_subject` must be the `sub` field from [GitHub's OIDC token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).\nThe bound subject can be constructed from various filters, such as a branch, tag, or specific [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment).\nSee [GitHub's documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims) for examples.\n\n#### oidc_bindings.vault_policies\n\n`vault_policies` must be a list of Vault policy strings to grant to the `vault_role_name` Vault role being configured.\nThese can also come from [`vault_policy` resources](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy#name).\n\n#### oidc_bindings.user_claim\n\n**Optional**\n\nThe `user_claim` is how you want Vault to [uniquely identify](https://www.vaultproject.io/api/auth/jwt#user_claim) this client.\nThis will be used as the name for the Identity entity alias created due to a successful login.\nThis means it will determine the `auth.display_name` value in Vault audit logs.\n\nThis must be a field present in the [GitHub JWT token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).\nDefaults to the value of the [`default_user_claim`](#default_user_claim) variable if not provided.\n\nWe strongly recommend you keep a consistent format for `auth.display_name` for monitoring of Vault's audit log.\nInstead of changing the `user_claim` for a specific role, consider modifying the [`default_user_claim`](#default_user_claim) variable to apply a format change to all roles managed through this module.\n\n#### oidc_bindings.additional_claims\n\n**Optional**\n\n`additional_claims` must be a list of any additional claims you would like to enforce in the Vault role binding.\nEach `key` must be a field present in the [GitHub JWT token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).\n\nFor example, to leverage [reusable workflows](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows)\nwith OIDC, you may wish to set your `bound_subject` to `repo:ORG_NAME/*` and add an additional claim of `job_workflow_ref:ORG_NAME/REPO_NAME` pointing to the reusable workflow.\n\ne.g.\n\n```terraform\noidc_bindings = [\n  {\n    audience: '...',\n    vault_role_name: '...',\n    bound_subject: \"repo:digitalocean/*\",\n    vault_policies: ['...'],\n    user_claim: '...',\n    additional_claims: [\n      {\n        job_workflow_ref: 'digitalocean/oidc-example/.github/workflows/deployment.yml@v1',\n      }\n    ],\n  },\n]\n```\n\n#### oidc_bindings.ttl\n\nYou can also specify a custom `ttl` per role binding if you wish to customize beyond the [`default_ttl`](#default_ttl) variable.\nThis must be a number of seconds.\n\n### default_ttl\n\n**Optional**\n\nThe default incremental time-to-live for generated tokens, in seconds.\nSince most uses of [`hashicorp/vault-action`](https://github.com/hashicorp/vault-action) authenticate \u0026 retrieve secrets\nin one step during a CI pipeline, the default for this variable is set to **5 minutes**.\n\nIf you wish to customize the TTL for all roles, modify this variable.\nYou can also specify individual TTL requirements on individual roles that may have edge case needs for a different TTL.\nSee [`oidc_bindings.ttl`](#oidc_bindings.ttl).\n\n### default_user_claim\n\n**Optional**\n\nThis is how you want Vault to [uniquely identify](https://www.vaultproject.io/api/auth/jwt#user_claim) this client.\nThis will be used as the name for the Identity entity alias created from a successful login.\nThis means it will determine the `auth.display_name` value in Vault audit logs.\n\nThis must be a field prevent in the [GitHub JWT token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).\n\nThis is set to `job_workflow_ref` by default.\n\n### oidc_auth_backend_path\n\n**Optional**\n\nBy default, this role will generate a JWT auth backend on Vault at the path `/github-actions`.\nIf you wish to customize the path created by this module, modify this variable.\nDo **not** include a leading `/` in the variable value (e.g. use `github-actions` not `/github-actions`).\n\nAt this time, this module expects to create and manage the JWT backend leveraged for GitHub OIDC auth.\nYou cannot pass in a Terraform reference to an existing backend.\n\n### github_identity_provider\n\n**Optional**\n\nBy default, this role will communicate with github.com for an OIDC JWT (`https://token.actions.githubusercontent.com`).\n\nIf you are an Enterprise Cloud customer, you should configure a [unique token URL](https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#switching-to-a-unique-token-url) and set this variable to your unique token URL.\n\n`https://token.actions.githubusercontent.com/\u003centerpriseSlug\u003e`\n\nIf you run GitHub Enterprise Server, you will need to configure your instance of GitHub as the identity provider and should modify this variable.\nThis requires GitHub Enterprise Server version 3.5 or higher.\n\nThe format is: `https://HOSTNAME/_services/token`.\n\nSee \u003chttps://docs.github.com/en/enterprise-server@latest/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#adding-the-identity-provider-to-hashicorp-vault\u003e.\n\n### token_type\n\n**Optional**\n\nThe type of Vault token that should be generated.\n\u003chttps://developer.hashicorp.com/vault/api-docs/auth/jwt#token_type\u003e\n\nBecause of the short TTLs and frequent use intended for authentication via this module, this module generates a [batch token](https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens) by default.\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.3.0 |\n| \u003ca name=\"requirement_vault\"\u003e\u003c/a\u003e [vault](#requirement\\_vault) | \u003e= 3.4.1 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_vault\"\u003e\u003c/a\u003e [vault](#provider\\_vault) | 3.12.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [vault_jwt_auth_backend.github_oidc](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend) | resource |\n| [vault_jwt_auth_backend_role.github_oidc_role](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend_role) | resource |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_oidc_bindings\"\u003e\u003c/a\u003e [oidc\\_bindings](#input\\_oidc\\_bindings) | A list of OIDC JWT bindings between GitHub repos and Vault roles. For each entry, you must include:\u003cbr\u003e\u003cbr\u003e  `audience`: By default, this must be the URL of the repository owner (e.g. `https://github.com/digitalocean`). This can be customized with the `jwtGithubAudience` parameter in [hashicorp/vault-action](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#requesting-the-access-token) . This is the bound audience (`aud`) field from [GitHub's OIDC token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) .\u003cbr\u003e\u003cbr\u003e  `vault_role_name`: The name of the Vault role to generate under the OIDC auth backend.\u003cbr\u003e\u003cbr\u003e  `bound_subject`: This is what is set in the `sub` field from [GitHub's OIDC token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) . The bound subject can be constructed from various filters, such as a branch, tag, or specific [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) . See [GitHub's documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims) for examples.\u003cbr\u003e\u003cbr\u003e  `vault_policies`: A list of Vault policies you wish to grant to the generated token.\u003cbr\u003e\u003cbr\u003e  `user_claim`: **Optional**. This is how you want Vault to [uniquely identify](https://www.vaultproject.io/api/auth/jwt#user_claim) this client. This will be used as the name for the Identity entity alias created due to a successful login. This must be a field present in the [GitHub JWT token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) . Defaults to the `default_user_claim` variable if not provided. Consider the impact on [reusable workflows](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows#how-the-token-works-with-reusable-workflows) if you are thinking of changing this value from the default.\u003cbr\u003e\u003cbr\u003e  `additional_claims`: **Optional**. Any additional `bound_claims` to configure for this role. Claim keys must match a value in [GitHub's OIDC token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) . Do not use this field for the `sub` claim. Use the `bound_subject` parameter instead.\u003cbr\u003e\u003cbr\u003e  `ttl`: **Optional**. The default incremental time-to-live for the generated token, in seconds. Defaults to the `default_ttl` value but can be individually specified per binding with this value. | \u003cpre\u003elist(object({\u003cbr\u003e    audience          = string,\u003cbr\u003e    vault_role_name   = string,\u003cbr\u003e    bound_subject     = string,\u003cbr\u003e    vault_policies    = set(string),\u003cbr\u003e    user_claim        = optional(string),\u003cbr\u003e    additional_claims = optional(map(string)),\u003cbr\u003e    ttl               = optional(number),\u003cbr\u003e  }))\u003c/pre\u003e | n/a | yes |\n| \u003ca name=\"input_default_ttl\"\u003e\u003c/a\u003e [default\\_ttl](#input\\_default\\_ttl) | The default incremental time-to-live for generated tokens, in seconds. | `number` | `300` | no |\n| \u003ca name=\"input_default_user_claim\"\u003e\u003c/a\u003e [default\\_user\\_claim](#input\\_default\\_user\\_claim) | This is how you want Vault to [uniquely identify](https://www.vaultproject.io/api/auth/jwt#user_claim) this client. This will be used as the name for the Identity entity alias created due to a successful login. This must be a field present in the [GitHub OIDC token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) . Consider the impact on [reusable workflows](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows#how-the-token-works-with-reusable-workflows) if you are thinking of changing this value from the default. | `string` | `\"job_workflow_ref\"` | no |\n| \u003ca name=\"input_github_identity_provider\"\u003e\u003c/a\u003e [github\\_identity\\_provider](#input\\_github\\_identity\\_provider) | The JWT authentication URL used for the GitHub OIDC trust configuration. If you are an Enteprise Cloud account, you should configure a [unique token URL](https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#switching-to-a-unique-token-url) and set the result on this variable. If you are an Enterprise Server organization, you should provide a URL in the format: `https://HOSTNAME/_services/token`. This requires GitHub Enterprise Server version 3.5 or higher. See \u003chttps://docs.github.com/en/enterprise-server@latest/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#adding-the-identity-provider-to-hashicorp-vault\u003e. | `string` | `\"https://token.actions.githubusercontent.com\"` | no |\n| \u003ca name=\"input_oidc_auth_backend_path\"\u003e\u003c/a\u003e [oidc\\_auth\\_backend\\_path](#input\\_oidc\\_auth\\_backend\\_path) | The path to mount the OIDC auth backend. | `string` | `\"github-actions\"` | no |\n| \u003ca name=\"input_token_type\"\u003e\u003c/a\u003e [token\\_type](#input\\_token\\_type) | The type of token to generate. This can be either `batch` or `service`. See \u003chttps://developer.hashicorp.com/vault/api-docs/auth/jwt#token_type\u003e for more information. | `string` | `\"batch\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_auth_backend_path\"\u003e\u003c/a\u003e [auth\\_backend\\_path](#output\\_auth\\_backend\\_path) | The path of the generated auth method. Use with a `vault_auth_backend` data source to retrieve any needed attributes from this resource. |\n| \u003ca name=\"output_oidc_bindings_names\"\u003e\u003c/a\u003e [oidc\\_bindings\\_names](#output\\_oidc\\_bindings\\_names) | The Vault role names generated for each OIDC binding provided. This is a reflection of the `vault_role_name` value of each item in `oidc-bindings`. |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\n# Authors\n\nThis module is maintained by [Ari Kalfus](https://github.com/artis3n) with help from [these excellent contributors](https://github.com/digitalocean/terraform-vault-github-oidc/graphs/contributors).\n\n# License\n\nLicensed under Apache 2.0. See [LICENSE](LICENSE) for full details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigitalocean-labs%2Fterraform-vault-github-oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdigitalocean-labs%2Fterraform-vault-github-oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigitalocean-labs%2Fterraform-vault-github-oidc/lists"}