Authenticate with vault from your github actions.
-
Download and decompress the latest plugin binary from the Releases tab on GitHub. Alternatively you can compile the plugin from source.
-
Move the compiled plugin into Vault's configured
plugin_directory
:
$ mv vault-plugin-auth-github-actions /etc/vault/plugins/vault-plugin-auth-github-actions
- Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-plugin-auth-github-actions" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/auth/github-actions-auth-plugin \
sha_256="${SHA256}" \
command="vault-plugin-auth-github-actions"
- Mount the auth method:
$ vault auth enable \
-path="github-actions" \
-plugin-name="auth-github-actions" plugin
- Configure the role your repository should assume
$ vault write auth/github-actions/repositories/Mongey/vault-plugin-auth-github-actions policies=admin
- Point your github action to import your secrets from Vault
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2.0.0
with:
url: https://my-vault-server.org:8200
method: github-actions
secrets: secret/data/ci npmToken | NPM_TOKEN
authPayload: |
'{
"token": "${{ secrets.GITHUB_TOKEN }}",
"run_id": "${{ github.run_id }}",
"run_number": "${{ github.run_number }}",
"owner": "${{ github.repository_owner }}",
"repository": "${{ github.repository }}"
}'
- name: Print
env:
MY_VAR: Hello
FOO: ${{ steps.secrets.outputs.NPM_TOKEN }}
run: |
echo $MY_VAR $FOO $NPM_TOKEN
$ vault write auth/github-actions/organizations/Mongey policies=admin
To configure it, use the /config
endpoint with the following arguments:
base_url
(string, optional) - For GitHub Enterprise or other API-compatible servers, the base URL to access the server.
For example:
vault write auth/github-actions/config base_url=https://enterprise.github.com/