Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mongey/vault-plugin-auth-github-actions
A vault plugin to authenticate GitHub actions
https://github.com/mongey/vault-plugin-auth-github-actions
github-actions vault vault-plugin vault-plugins
Last synced: 2 months ago
JSON representation
A vault plugin to authenticate GitHub actions
- Host: GitHub
- URL: https://github.com/mongey/vault-plugin-auth-github-actions
- Owner: Mongey
- License: mit
- Created: 2020-08-31T23:41:01.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-03-29T23:21:42.000Z (almost 4 years ago)
- Last Synced: 2024-06-19T05:55:11.824Z (6 months ago)
- Topics: github-actions, vault, vault-plugin, vault-plugins
- Language: Go
- Homepage:
- Size: 39.1 KB
- Stars: 7
- Watchers: 3
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# vault-plugin-auth-github-actions
Authenticate with vault from your github actions.
## Setup
1. Download and decompress the latest plugin binary from the Releases tab on
GitHub. Alternatively you can compile the plugin from source.
2. Move the compiled plugin into Vault's configured `plugin_directory`:
```sh
$ mv vault-plugin-auth-github-actions /etc/vault/plugins/vault-plugin-auth-github-actions
```
3. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog.
If you are downloading the pre-compiled binary, it is highly recommended that
you use the published checksums to verify integrity.
```sh
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-plugin-auth-github-actions" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/auth/github-actions-auth-plugin \
sha_256="${SHA256}" \
command="vault-plugin-auth-github-actions"
```
4. Mount the auth method:
```sh
$ vault auth enable \
-path="github-actions" \
-plugin-name="auth-github-actions" plugin
```
5. Configure the role your repository should assume
```sh
$ vault write auth/github-actions/repositories/Mongey/vault-plugin-auth-github-actions policies=admin
```
6. Point your github action to import your secrets from Vault
```yaml
- name: Import Secrets
id: secrets
uses: hashicorp/[email protected]
with:
url: https://my-vault-server.org:8200
method: github-actions
secrets: secret/data/ci npmToken | NPM_TOKEN
authPayload: |
'{
"token": "${{ secrets.GITHUB_TOKEN }}",
"run_id": "${{ github.run_id }}",
"run_number": "${{ github.run_number }}",
"owner": "${{ github.repository_owner }}",
"repository": "${{ github.repository }}"
}'
- name: Print
env:
MY_VAR: Hello
FOO: ${{ steps.secrets.outputs.NPM_TOKEN }}
run: |
echo $MY_VAR $FOO $NPM_TOKEN
```
### Assign a default policy to all repositories in your organization
```
$ vault write auth/github-actions/organizations/Mongey policies=admin
```
## Configuration
To configure it, use the `/config` endpoint with the following arguments:
* `base_url` (string, optional) - For GitHub Enterprise or other API-compatible
servers, the base URL to access the server.
For example:
```
vault write auth/github-actions/config base_url=https://enterprise.github.com/
```