Skip to content
This repository has been archived by the owner on Feb 27, 2024. It is now read-only.

Action to interact with Vault Broker to get approle tokens

License

Notifications You must be signed in to change notification settings

bcgov-nr/action-vault-broker-approle

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

author
Paulo Gomes da Cruz Junior
Jan 31, 2023
9ef0d1c · Jan 31, 2023

History

9 Commits
Jan 31, 2023
Jan 31, 2023
Jan 31, 2023
Jan 31, 2023
Jan 31, 2023

Repository files navigation

Issues Pull Requests MIT License Lifecycle

Vault Approle Token extractor through Vault Broker API

This action acquires an approle token from vault through the Broker API. This allows the team to access and generate tokens through the github action pipeline.

This is useful in CI/CD pipelines where you need to access a secret, get a vault token or anything vault related.

This tool is currently based on the existing documentation provided by 1team.

Usage

- uses: bcgov-nr/action-vault-broker-approle@main
  with:
    ### Required
    
    # Broker JWT Token
    broker_jwt: The JWT to be used on the broker

    # Role ID for Provision
    provision_role_id: The id of the role to be used during provisioning

    # Project name on vault
    project_name: Name of the project on vault, Ex. client
    
    # Application name on vault
    app_name: Name of the app on vault, Ex. app-client
    
    # Vault environment
    environment: Name of the vault environment, Ex. development
    
    ### Usually a bad idea / not recommended

    # Overrides the default branch to diff against
    # Defaults to the default branch, usually `main`
    diff_branch: ${{ github.event.repository.default_branch }}

    # Repository to clone and process
    # Useful for consuming other repos, like in testing
    # Defaults to the current one
    repository: ${{ github.repository }}

    # Broker server address
    # Useful when consuming from a test server or other environment
    broker_url: https://nr-broker.apps.silver.devops.gov.bc.ca
      
    # Vault server address
    # Useful when interacting with other instances of vault
    vault_addr: https://vault-iit.apps.silver.devops.gov.bc.ca


    

Example, Reading secrets

Read a secret from the vault

Create or modify a GitHub workflow, like below. E.g. ./github/workflows/pr-open.yml

name: Pull Request

on:
  pull_request:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  builds:
    permissions:
      packages: write
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v3
      - name: Broker
        id: broker
        uses: bcgov-nr/action-vault-broker-approle@main
        with:
          broker_jwt: ${{ secrets.BROKER_JWT }}
          provision_role_id: ${{ secrets.PROVISION_ROLE }}
          project_name: super
          app_name: app-super
          environment: development
      - name: Import Secrets
        id: secrets
        uses: hashicorp/vault-action@v2.5.0
        with:
          url: https://vault-iit.apps.silver.devops.gov.bc.ca
          token: ${{ steps.broker.outputs.vault_token }}
          exportEnv: 'false'
          secrets: |
            apps/data/dev/super_secrets username | SECRET_USER;
            apps/data/dev/super_secrets password | SECRET_PWD;

Example, Matrix Token Reads

Read from multiple environments.

Create or modify a GitHub workflow, like below. E.g. ./github/workflows/pr-open.yml

name: Pull Request

on:
  pull_request:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  builds:
    permissions:
      packages: write
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        env: [dev, test]
    steps:
      - uses: actions/checkout@v3
      - name: Broker
        id: broker
        uses: bcgov-nr/action-vault-broker-approle@main
        with:
          broker_jwt: ${{ secrets.BROKER_JWT }}
          provision_role_id: ${{ secrets.PROVISION_ROLE }}
          project_name: super
          app_name: app-super
          environment: development
      - name: Import Secrets
        id: secrets
        uses: hashicorp/vault-action@v2.5.0
        with:
          url: https://vault-iit.apps.silver.devops.gov.bc.ca
          token: ${{ steps.broker.outputs.vault_token }}
          exportEnv: 'false'
          secrets: |
            apps/data/${{ matrix.env }}/super_secrets username | SECRET_USER;
            apps/data/${{ matrix.env }}/super_secrets password | SECRET_PWD;

Output

If a token is acquired this action will output the token value as the vault_token. See examples above.