update vault #7

Summary
Jobs
- read-secret
Run details
- Usage
- Workflow file

Workflow file for this run

	name: OIDC Access Test

	on: push

	permissions:
	id-token: write
	contents: read

	jobs:
	read-secret:
	runs-on: ubuntu-latest
	steps:
	# Checkout the repository to the GitHub Actions runner
	- name: Checkout
	uses: actions/checkout@v2

	# Shout out to Benjamin Pannell at Sierra Softworks for this
	# https://sierrasoftworks.com/2021/12/20/vault-github-actions/#policies
	- name: Troubleshooting
	run: \|
	curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" \| \
	jq "{ jwt: .value, role: \"$VAULT_ROLE\" }" > ./token.json

	echo 'GitHub Actions Token Claims'
	cat ./token.json \| jq -r '.jwt \| split(".") \| .[1] \| @base64d' \| jq

	echo 'Vault Login Response'
	curl -sSLf -X POST -H "Content-Type: application/json" -H "X-Vault-Namespace: admin/kalam-test" --data @token.json $VAULT_URL/v1/auth/$VAULT_AUTH_PATH/login

	# Remove the token file when we're done (if we don't fail)
	rm ./token.json
	env:
	VAULT_URL: ${{ secrets.VAULT_ADDR }}
	VAULT_AUTH_PATH: jwt
	VAULT_ROLE: ${{ secrets.VAULT_ROLE }}
	- name: Retrieve Secrets
	id: secretdata
	uses: hashicorp/[email protected]
	with:
	method: jwt
	url: ${{ secrets.VAULT_ADDR }}
	namespace: ${{ secrets.VAULT_NAMESPACE }}
	role: ${{ secrets.VAULT_ROLE }}
	secrets: ${{ secrets.VAULT_SECRET_PATH }} ${{ secrets.VAULT_SECRET_KEY }} \| MY_SECRET

	- name: Print Secrets
	run: \|
	echo '${{ steps.secretdata.outputs.MY_SECRET }}'
	- name: Build Docker Image
	run: docker build . --file Dockerfile --build-arg app_secret="${{ env.MY_SECRET }}" -t vault-action-exampleapp
	- name: read secret from container
	run: docker run vault-action-exampleapp /bin/bash -c "cat ./app_secret" \| sed 's/./& /g'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update vault #7

Workflow file

update vault #7

Jobs

Run details

Workflow file for this run