Skip to content

.github/workflows/vault_integration_example.yml #12

.github/workflows/vault_integration_example.yml

.github/workflows/vault_integration_example.yml #12

on:
workflow_dispatch:
jobs:
read_static_secret:
permissions:
contents: read
id-token: write
name: Example of reading a static secret
runs-on: ubuntu-latest
steps:
- name: Read Static Secrets
id: secrets
uses: hashicorp/vault-action@v2
with:
# The URL for the vault endpoint
url: ${{ secrets.VAULT_ADDR }}
namespace: admin
method: jwt
role: example_role
path: github_jwt # optional
jwtGithubAudience: example_audience # set the GitHub token's aud claim
# Whether or not export secrets as environment variables.
exportEnv: true # optional, default is true
# Whether or not export Vault token as environment variables (i.e VAULT_TOKEN).
exportToken: true # optional, default is true
# A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details
secrets: |
secret/data/sample-secret first-secret | FIRST_SECRET ;
# Time in seconds, after which token expires
#jwtTtl: # optional, default is 3600
# The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8
#secretEncodingType: # optional
- name: output of reading a static secret
run: |
echo "static secret: $(echo ${FIRST_SECRET} | base64)"
- name: Revoke token
if: always()
run: |
curl -X POST -sv -H "X-Vault-Token: ${VAULT_TOKEN}" ${{ secrets.VAULT_ADDR }}/v1/auth/token/revoke-self
read_dynamic_secret:
name: Example of reading a dynamic secret
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Read Dynamic Secrets
id: secrets
uses: hashicorp/vault-action@v2
with:
# The URL for the vault endpoint
url: ${{ secrets.VAULT_ADDR }}
namespace: admin
method: jwt
role: example_role
path: github_jwt # optional
jwtGithubAudience: example_audience # set the GitHub token's aud claim
# Whether or not export secrets as environment variables.
exportEnv: true # optional, default is true
# Whether or not export Vault token as environment variables (i.e VAULT_TOKEN).
exportToken: true # optional, default is true
# A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details
secrets: |
secret/data/sample-secret first-secret | FIRST_SECRET ;
- name: output of reading a dynamic secret
run: |
echo "dynamic secret: $(echo ${FIRST_SECRET} | base64)"
- name: Revoke token
if: always()
run: |
curl -X POST -sv -H "X-Vault-Token: ${VAULT_TOKEN}" ${{ secrets.VAULT_ADDR }}/v1/auth/token/revoke-self