.github/workflows/vault_integration_example.yml #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
workflow_dispatch: | |
jobs: | |
read_static_secret: | |
permissions: | |
contents: read | |
id-token: write | |
name: Example of reading a static secret | |
runs-on: ubuntu-latest | |
steps: | |
- name: Read Static Secrets | |
id: secrets | |
uses: hashicorp/vault-action@v2 | |
with: | |
# The URL for the vault endpoint | |
url: ${{ secrets.VAULT_ADDR }} | |
namespace: admin | |
method: jwt | |
role: example_role | |
path: github_jwt # optional | |
jwtGithubAudience: example_audience # set the GitHub token's aud claim | |
# Whether or not export secrets as environment variables. | |
exportEnv: true # optional, default is true | |
# Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | |
exportToken: true # optional, default is true | |
# A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | |
secrets: | | |
secret/data/sample-secret first-secret | FIRST_SECRET ; | |
# Time in seconds, after which token expires | |
#jwtTtl: # optional, default is 3600 | |
# The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8 | |
#secretEncodingType: # optional | |
- name: output of reading a static secret | |
run: | | |
echo "static secret: $(echo ${FIRST_SECRET} | base64)" | |
- name: Revoke token | |
if: always() | |
run: | | |
curl -X POST -sv -H "X-Vault-Token: ${VAULT_TOKEN}" ${{ secrets.VAULT_ADDR }}/v1/auth/token/revoke-self | |
read_dynamic_secret: | |
name: Example of reading a dynamic secret | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Read Dynamic Secrets | |
id: secrets | |
uses: hashicorp/vault-action@v2 | |
with: | |
# The URL for the vault endpoint | |
url: ${{ secrets.VAULT_ADDR }} | |
namespace: admin | |
method: jwt | |
role: example_role | |
path: github_jwt # optional | |
jwtGithubAudience: example_audience # set the GitHub token's aud claim | |
# Whether or not export secrets as environment variables. | |
exportEnv: true # optional, default is true | |
# Whether or not export Vault token as environment variables (i.e VAULT_TOKEN). | |
exportToken: true # optional, default is true | |
# A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | |
secrets: | | |
secret/data/sample-secret first-secret | FIRST_SECRET ; | |
- name: output of reading a dynamic secret | |
run: | | |
echo "dynamic secret: $(echo ${FIRST_SECRET} | base64)" | |
- name: Revoke token | |
if: always() | |
run: | | |
curl -X POST -sv -H "X-Vault-Token: ${VAULT_TOKEN}" ${{ secrets.VAULT_ADDR }}/v1/auth/token/revoke-self |