Skip to content
package

GitHub Action

Vault Approle Token extractor through Vault Broker API

v1.0.0 Latest version

Vault Approle Token extractor through Vault Broker API

package

Vault Approle Token extractor through Vault Broker API

Acquires a token to be used on vault through the broker API

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Vault Approle Token extractor through Vault Broker API

uses: bcgov-nr/[email protected]

Learn more about this action in bcgov-nr/action-vault-broker-approle

Choose a version

Issues Pull Requests MIT License Lifecycle

Vault App role Token extractor through Vault Broker API

This action acquires an approle token from vault through the Broker API. This allows the team to read secrets through the GitHub action pipeline.

This is useful in CI/CD pipelines where you need to access a secret, get a vault token or anything vault related.

This tool is currently based on the existing documentation provided by 1team.

Prerequisites

1. Discussion with 1team/DBA to start the onboarding process on vault.
2. Project setup is done for 3 envs development, test and production.
3. The provision_role_id is environment specific and should be stored in as secrets in the github repository.
4. The broker_jwt is global and NOT environment specific and should be stored in as secrets in the github repository.

Usage

- uses: bcgov-nr/action-vault-broker-approle@main
  with:
    ### Required
    
    # Broker JWT Token
    broker_jwt: The JWT to be used on the broker

    # Role ID for Provision
    provision_role_id: The id of the role to be used during provisioning

    # Project name on vault
    project_name: Name of the project on vault, Ex. client
    
    # Application name on vault
    app_name: Name of the app on vault, Ex. app-client
    
    # Vault environment
    environment: Name of the vault environment, Ex. development
    
    ### Usually a bad idea / not recommended

    # Overrides the default branch to diff against
    # Defaults to the default branch, usually `main`
    diff_branch: ${{ github.event.repository.default_branch }}

    # Repository to clone and process
    # Useful for consuming other repos, like in testing
    # Defaults to the current one
    repository: ${{ github.repository }}

    # Broker server address
    # Useful when consuming from a test server or other environment
    broker_url: https://nr-broker.apps.silver.devops.gov.bc.ca
      
    # Vault server address
    # Useful when interacting with other instances of vault
    vault_addr: https://vault-iit.apps.silver.devops.gov.bc.ca


    

Example, Reading secrets

Read a secret from the vault

Create or modify a GitHub workflow, like below. E.g. ./github/workflows/pr-open.yml

name: Pull Request

on:
  pull_request:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  builds:
    permissions:
      packages: write
    runs-on: ubuntu-22.04
    env:
      project_name: super
      app_name: app-super
      environment: development
      secret_path_env: dev # this path is different from the path in the broker
    steps:
      - uses: actions/checkout@v3
      - name: Broker
        id: broker
        uses: bcgov-nr/action-vault-broker-approle@main
        with:
          broker_jwt: ${{ secrets.BROKER_JWT }}
          provision_role_id: ${{ secrets.PROVISION_ROLE }}
          project_name: ${{ env.project_name }}
          app_name: ${{ env.app_name }}
          environment: ${{ env.environment }}
      - name: Import Secrets
        id: secrets
        uses: hashicorp/[email protected]
        with:
          url: https://vault-iit.apps.silver.devops.gov.bc.ca
          token: ${{ steps.broker.outputs.vault_token }}
          exportEnv: 'false'
          secrets: |
            apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/super_secrets username | SECRET_USER;
            apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/super_secrets password | SECRET_PWD;

Output

If a token is acquired this action will output the token value as the vault_token. See examples above.