Skip to content

Mongey/vault-plugin-auth-github-actions

Repository files navigation

vault-plugin-auth-github-actions

Authenticate with vault from your github actions.

Setup

  1. Download and decompress the latest plugin binary from the Releases tab on GitHub. Alternatively you can compile the plugin from source.

  2. Move the compiled plugin into Vault's configured plugin_directory:

$ mv vault-plugin-auth-github-actions /etc/vault/plugins/vault-plugin-auth-github-actions
  1. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-plugin-auth-github-actions" | cut -d' ' -f1)

$ vault write sys/plugins/catalog/auth/github-actions-auth-plugin \
    sha_256="${SHA256}" \
    command="vault-plugin-auth-github-actions"
  1. Mount the auth method:
$ vault auth enable \
    -path="github-actions" \
    -plugin-name="auth-github-actions" plugin
  1. Configure the role your repository should assume
$ vault write auth/github-actions/repositories/Mongey/vault-plugin-auth-github-actions policies=admin
  1. Point your github action to import your secrets from Vault
      - name: Import Secrets
        id: secrets
        uses: hashicorp/vault-action@v2.0.0
        with:
          url: https://my-vault-server.org:8200
          method: github-actions
          secrets: secret/data/ci npmToken | NPM_TOKEN
          authPayload: |
          '{
            "token": "${{ secrets.GITHUB_TOKEN }}",
            "run_id": "${{ github.run_id }}",
            "run_number": "${{ github.run_number }}",
            "owner": "${{ github.repository_owner }}",
            "repository": "${{ github.repository }}"
          }'
      - name: Print
        env:
          MY_VAR: Hello
          FOO: ${{ steps.secrets.outputs.NPM_TOKEN }}
        run: |
          echo $MY_VAR $FOO $NPM_TOKEN

Assign a default policy to all repositories in your organization

$ vault write auth/github-actions/organizations/Mongey policies=admin

Configuration

To configure it, use the /config endpoint with the following arguments:

  • base_url (string, optional) - For GitHub Enterprise or other API-compatible servers, the base URL to access the server.

For example:

vault write auth/github-actions/config base_url=https://enterprise.github.com/