This action acquires an approle token from vault through the Broker API. This allows the team to access and generate tokens through the github action pipeline.
This is useful in CI/CD pipelines where you need to access a secret, get a vault token or anything vault related.
This tool is currently based on the existing documentation provided by 1team.
- uses: bcgov-nr/action-vault-broker-approle@main
with:
### Required
# Broker JWT Token
broker_jwt: The JWT to be used on the broker
# Role ID for Provision
provision_role_id: The id of the role to be used during provisioning
# Project name on vault
project_name: Name of the project on vault, Ex. client
# Application name on vault
app_name: Name of the app on vault, Ex. app-client
# Vault environment
environment: Name of the vault environment, Ex. development
### Usually a bad idea / not recommended
# Overrides the default branch to diff against
# Defaults to the default branch, usually `main`
diff_branch: ${{ github.event.repository.default_branch }}
# Repository to clone and process
# Useful for consuming other repos, like in testing
# Defaults to the current one
repository: ${{ github.repository }}
# Broker server address
# Useful when consuming from a test server or other environment
broker_url: https://nr-broker.apps.silver.devops.gov.bc.ca
# Vault server address
# Useful when interacting with other instances of vault
vault_addr: https://vault-iit.apps.silver.devops.gov.bc.ca
Read a secret from the vault
Create or modify a GitHub workflow, like below. E.g. ./github/workflows/pr-open.yml
name: Pull Request
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
builds:
permissions:
packages: write
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: Broker
id: broker
uses: bcgov-nr/action-vault-broker-approle@main
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
project_name: super
app_name: app-super
environment: development
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2.5.0
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/dev/super_secrets username | SECRET_USER;
apps/data/dev/super_secrets password | SECRET_PWD;
Read from multiple environments.
Create or modify a GitHub workflow, like below. E.g. ./github/workflows/pr-open.yml
name: Pull Request
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
builds:
permissions:
packages: write
runs-on: ubuntu-22.04
strategy:
matrix:
env: [dev, test]
steps:
- uses: actions/checkout@v3
- name: Broker
id: broker
uses: bcgov-nr/action-vault-broker-approle@main
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
project_name: super
app_name: app-super
environment: development
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2.5.0
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/${{ matrix.env }}/super_secrets username | SECRET_USER;
apps/data/${{ matrix.env }}/super_secrets password | SECRET_PWD;
If a token is acquired this action will output the token value as the vault_token.
See examples above.