-
Notifications
You must be signed in to change notification settings - Fork 1
52 lines (44 loc) · 1.88 KB
/
final.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
name: OIDC Access Test
on: push
permissions:
id-token: write
contents: read
jobs:
read-secret:
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Shout out to Benjamin Pannell at Sierra Softworks for this
# https://sierrasoftworks.com/2021/12/20/vault-github-actions/#policies
- name: Troubleshooting
run: |
curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | \
jq "{ jwt: .value, role: \"$VAULT_ROLE\" }" > ./token.json
echo 'GitHub Actions Token Claims'
cat ./token.json | jq -r '.jwt | split(".") | .[1] | @base64d' | jq
echo 'Vault Login Response'
curl -sSLf -X POST -H "Content-Type: application/json" -H "X-Vault-Namespace: admin/kalam-test" --data @token.json $VAULT_URL/v1/auth/$VAULT_AUTH_PATH/login
# Remove the token file when we're done (if we don't fail)
rm ./token.json
env:
VAULT_URL: ${{ secrets.VAULT_ADDR }}
VAULT_AUTH_PATH: jwt
VAULT_ROLE: ${{ secrets.VAULT_ROLE }}
- name: Retrieve Secrets
id: secretdata
uses: hashicorp/[email protected]
with:
method: jwt
url: ${{ secrets.VAULT_ADDR }}
namespace: ${{ secrets.VAULT_NAMESPACE }}
role: ${{ secrets.VAULT_ROLE }}
secrets: ${{ secrets.VAULT_SECRET_PATH }} ${{ secrets.VAULT_SECRET_KEY }} | MY_SECRET
- name: Print Secrets
run: |
echo '${{ steps.secretdata.outputs.MY_SECRET }}'
- name: Build Docker Image
run: docker build . --file Dockerfile --build-arg app_secret="${{ env.MY_SECRET }}" -t vault-action-exampleapp
- name: read secret from container
run: docker run vault-action-exampleapp /bin/bash -c "cat ./app_secret" | sed 's/./& /g'