GitHub Action
Vault Approle Token extractor through Vault Broker API
v1.0.0
Latest version
This action acquires an approle token from vault through the Broker API. This allows the team to read secrets through the GitHub action pipeline.
This is useful in CI/CD pipelines where you need to access a secret, get a vault token or anything vault related.
This tool is currently based on the existing documentation provided by 1team.
1. Discussion with 1team/DBA to start the onboarding process on vault.
2. Project setup is done for 3 envs development, test and production.
3. The provision_role_id is environment specific and should be stored in as secrets in the github repository.
4. The broker_jwt is global and NOT environment specific and should be stored in as secrets in the github repository.
- uses: bcgov-nr/action-vault-broker-approle@main
with:
### Required
# Broker JWT Token
broker_jwt: The JWT to be used on the broker
# Role ID for Provision
provision_role_id: The id of the role to be used during provisioning
# Project name on vault
project_name: Name of the project on vault, Ex. client
# Application name on vault
app_name: Name of the app on vault, Ex. app-client
# Vault environment
environment: Name of the vault environment, Ex. development
### Usually a bad idea / not recommended
# Overrides the default branch to diff against
# Defaults to the default branch, usually `main`
diff_branch: ${{ github.event.repository.default_branch }}
# Repository to clone and process
# Useful for consuming other repos, like in testing
# Defaults to the current one
repository: ${{ github.repository }}
# Broker server address
# Useful when consuming from a test server or other environment
broker_url: https://nr-broker.apps.silver.devops.gov.bc.ca
# Vault server address
# Useful when interacting with other instances of vault
vault_addr: https://vault-iit.apps.silver.devops.gov.bc.ca
Read a secret from the vault
Create or modify a GitHub workflow, like below. E.g. ./github/workflows/pr-open.yml
name: Pull Request
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
builds:
permissions:
packages: write
runs-on: ubuntu-22.04
env:
project_name: super
app_name: app-super
environment: development
secret_path_env: dev # this path is different from the path in the broker
steps:
- uses: actions/checkout@v3
- name: Broker
id: broker
uses: bcgov-nr/action-vault-broker-approle@main
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
project_name: ${{ env.project_name }}
app_name: ${{ env.app_name }}
environment: ${{ env.environment }}
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2.5.0
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/super_secrets username | SECRET_USER;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/super_secrets password | SECRET_PWD;
If a token is acquired this action will output the token value as the vault_token
.
See examples above.