Start Vault:
vault server -dev
Enable JWT auth mechanism:
vault auth enable jwt
Configure jwt auth with oidc discovery URL:
vault write auth/jwt/config \
oidc_discovery_url="https://token.actions.githubusercontent.com" \
bound_issuer="https://token.actions.githubusercontent.com" \
default_role="github-action"
Create a role for jwt authentication:
vault write auth/jwt/role/github-action \
bound_subject="repo:alwell-kevin/code-to-cloud-twitch:ref:refs/heads/main" \
bound_audiences="https://github.com/alwell-kevin" \
user_claim="sub" \
policies="ci" \
ttl=10m \
role_type="jwt"
Note: ttl defines the validity of client_token.Change this if longer validity for token is needed.
Edit ci policy to allow access to CI:
# ci-policy.hcl
path "secret/data/ci" {
capabilities = [ "read" ]
}Write the policy:
vault policy write ci ci-policy.hcl
Add secret:
vault kv put secret/ci npmToken=StresseD
Configure and start a self hosted runner:
# ...configuration according to instructions...
./run.shon:
workflow_dispatch:
name: Retrieve Vault Secret
jobs:
build:
runs-on: self-hosted
permissions:
id-token: write
contents: read
steps:
# Use official HashiCorp Vault action, directing it to retrieve the `npmToken` secret from
# the local endpoint using the role configured previously.
- uses: hashicorp/[email protected]
with:
url: 'http://127.0.0.1:8200'
method: jwt
role: github-action
secrets: secret/data/ci npmToken
# Use the secret (echo for validation, in this case). By default, the secret is written to an
# environment variable with the same name as the secret.
# https://github.com/hashicorp/vault-action#set-output-variable-name
- run: |
echo $NPMTOKEN | revSpecial Shout out to @imjohnbo for making this possible!