update vault

.github/workflows/final.yml

@@ -0,0 +1,49 @@
+name: OIDC Access Test
+
+on: push
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  read-secret:
+    runs-on: ubuntu-latest
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    # Shout out to Benjamin Pannell at Sierra Softworks for this
+    # https://sierrasoftworks.com/2021/12/20/vault-github-actions/#policies
+    - name: Troubleshooting
+      run: |
+          curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | \
+          jq "{ jwt: .value, role: \"$VAULT_ROLE\" }" > ./token.json
+            
+          echo 'GitHub Actions Token Claims'
+          cat ./token.json | jq -r '.jwt | split(".") | .[1] | @base64d' | jq
+
+          echo 'Vault Login Response'
+          curl -sSLf -X POST -H "Content-Type: application/json" -H "X-Vault-Namespace: admin" --data @token.json $VAULT_URL/v1/auth/$VAULT_AUTH_PATH/login
+
+          # Remove the token file when we're done (if we don't fail)
+          rm ./token.json
+      env:
+        VAULT_URL: ${{ secrets.VAULT_ADDR }}
+        VAULT_AUTH_PATH: jwt
+        VAULT_ROLE: ${{ secrets.VAULT_ROLE }}
+
+    - name: Retrieve Secrets
+      id: secretdata
+      uses: hashicorp/[email protected]
+      with: 
+        method: jwt
+        url: ${{ secrets.VAULT_ADDR }}
+        namespace: ${{ secrets.VAULT_NAMESPACE }}
+        role: ${{ secrets.VAULT_ROLE }}
+        secrets: ${{ secrets.VAULT_SECRET_PATH }} ${{ secrets.VAULT_SECRET_KEY }} | MY_SECRET
+
+    - name: Print Secrets
+      run: |
+          echo '${{ steps.secretdata.outputs.MY_SECRET }}'