actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 15:16:56 +00:00
Code Activity Actions

chore: Update docker compose command

Browse source
This commit is contained in:
David Sewell 2024-12-05 16:39:56 -05:00
parent 33b70ff01a
commit 568bbb544e
3 changed files with 314 additions and 311 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

437
.github/workflows/build.yml vendored
View file

@ -6,283 +6,282 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '20.9.0'
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: NPM Run Test
run: npm run test
- name: NPM Run Test
run: npm run test
integrationOSS:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker-compose
run: docker-compose up -d vault
- name: Run docker compose
run: docker compose up -d vault
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '20.9.0'
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: NPM Run test;integration:basic
run: npm run test:integration:basic
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
- name: NPM Run test;integration:basic
run: npm run test:integration:basic
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
integrationEnterprise:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker-compose
run: docker-compose up -d vault-enterprise
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
- name: Run docker compose
run: docker compose up -d vault-enterprise
env:
VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '20.9.0'
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: NPM Run test:integration:enterprise
run: npm run test:integration:enterprise
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
- name: NPM Run test:integration:enterprise
run: npm run test:integration:enterprise
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
CI: true
e2e:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker-compose
run: docker-compose up -d vault
- name: Run docker compose
run: docker compose up -d vault
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '20.9.0'
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: Setup Vault
run: node ./integrationTests/e2e/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
- name: Setup Vault
run: node ./integrationTests/e2e/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
# The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
# They should come before the Verify Vault Action Outputs step
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/test secret | SUBSEQUENT_TEST_SECRET;
# The ordering of these two Test Vault Action Overwrites Env Vars In Subsequent Action steps matters
# They should come before the Verify Vault Action Outputs step
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 1/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/test secret | SUBSEQUENT_TEST_SECRET;
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;
- name: Test Vault Action Overwrites Env Vars In Subsequent Action (part 2/2)
uses: ./
with:
url: http://localhost:8200/
token: testtoken
secrets: |
secret/data/subsequent-test secret | SUBSEQUENT_TEST_SECRET;
- name: Test JSON Secrets
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test-json-data jsonData;
secret/data/test-json-string jsonString;
secret/data/test-json-string-multiline jsonStringMultiline;
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
- name: Test JSON Secrets
uses: ./
with:
url: http://localhost:8200
token: testtoken
secrets: |
secret/data/test-json-data jsonData;
secret/data/test-json-string jsonString;
secret/data/test-json-string-multiline jsonStringMultiline;
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets.outputs.otherSecret }}
e2e-tls:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Run docker-compose
run: docker-compose up -d vault-tls
- name: Run docker compose
run: docker compose up -d vault-tls
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '20.9.0'
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: "20.9.0"
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Setup NPM Cache
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: NPM Install
run: npm ci
- name: NPM Install
run: npm ci
- name: NPM Build
run: npm run build
- name: NPM Build
run: npm run build
- name: Setup Vault
run: node ./integrationTests/e2e-tls/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
VAULTCA: ${{ secrets.VAULTCA }}
VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Setup Vault
run: node ./integrationTests/e2e-tls/setup.js
env:
VAULT_HOST: localhost
VAULT_PORT: 8200
VAULTCA: ${{ secrets.VAULTCA }}
VAULT_CLIENT_CERT: ${{ secrets.VAULT_CLIENT_CERT }}
VAULT_CLIENT_KEY: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets-tls
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (default KV V2)
uses: ./
id: kv-secrets-tls
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/test secret ;
secret/data/test secret | NAMED_SECRET ;
secret/data/nested/test otherSecret ;
- name: Test Vault Action (tlsSkipVerify)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
tlsSkipVerify: true
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/tlsSkipVerify skip ;
- name: Test Vault Action (tlsSkipVerify)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
tlsSkipVerify: true
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
secret/data/tlsSkipVerify skip ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (default KV V1)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
secrets: |
my-secret/test altSecret ;
my-secret/test altSecret | NAMED_ALTSECRET ;
my-secret/nested/test otherAltSecret ;
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Test Vault Action (cubbyhole)
uses: ./
with:
url: https://localhost:8200
token: ${{ env.VAULT_TOKEN }}
secrets: |
/cubbyhole/test foo ;
/cubbyhole/test zip | NAMED_CUBBYSECRET ;
caCertificate: ${{ secrets.VAULTCA }}
clientCertificate: ${{ secrets.VAULT_CLIENT_CERT }}
clientKey: ${{ secrets.VAULT_CLIENT_KEY }}
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e-tls
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}
- name: Verify Vault Action Outputs
run: npm run test:integration:e2e-tls
env:
OTHER_SECRET_OUTPUT: ${{ steps.kv-secrets-tls.outputs.otherSecret }}

2
Makefile
View file

@ -1,3 +1,3 @@
.PHONY: local-test
local-test:
docker compose down; docker-compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml
docker compose down; docker compose up -d vault && act workflow_dispatch -j local-test -W .github/workflows/local-test.yaml

186
README.md
View file

@ -46,46 +46,51 @@ is not meant to modify Vaults state.
```yaml
jobs:
build:
# ...
steps:
# ...
- name: Import Secrets
id: import-secrets
uses: hashicorp/vault-action@v2
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULT_CA_CERT }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
# ...
build:
# ...
steps:
# ...
- name: Import Secrets
id: import-secrets
uses: hashicorp/vault-action@v2
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULT_CA_CERT }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
# ...
```
Retrieved secrets are available as environment variables or outputs for subsequent steps:
```yaml
#...
- name: Step following 'Import Secrets'
run: |
ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
# ...
- name: Step following 'Import Secrets'
run: |
ACCESS_KEY_ID = "${{ env.AWS_ACCESS_KEY_ID }}"
SECRET_ACCESS_KEY = "${{ steps.import-secrets.outputs.AWS_SECRET_ACCESS_KEY }}"
# ...
```
If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format.
If your project needs a format other than env vars and step outputs, you can use additional steps to transform them into the desired format.
For example, a common pattern is to save all the secrets in a JSON file:
```yaml
#...
- name: Step following 'Import Secrets'
run: |
touch secrets.json
echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json
# ...
- name: Step following 'Import Secrets'
run: |
touch secrets.json
echo '${{ toJson(steps.import-secrets.outputs) }}' >> secrets.json
# ...
```
Which with our example would yield a file containing:
```json
{
"ACCESS_KEY_ID": "MY_KEY_ID",
@ -96,7 +101,6 @@ Which with our example would yield a file containing:
Note that all secrets are masked so programs need to read the file themselves otherwise all values will be replaced with a `***` placeholder.
## Authentication Methods
Consider using a [Vault authentication method](https://www.vaultproject.io/docs/auth) such as the JWT auth method with
@ -110,7 +114,7 @@ and Vault using the
Each GitHub Actions workflow receives an auto-generated OIDC token with claims
to establish the identity of the workflow.
__Vault Configuration__
**Vault Configuration**
<details>
<summary>Click to toggle instructions for configuring Vault.</summary>
@ -121,7 +125,6 @@ Pass the following parameters to your auth method configuration:
- `oidc_discovery_url`: `https://token.actions.githubusercontent.com`
- `bound_issuer`: `https://token.actions.githubusercontent.com`
Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) for the auth method.
- `role_type`: `jwt`
@ -137,12 +140,12 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
- For wildcard (non-exact) matches, use `bound_claims`.
- `bound_claims_type`: `glob`
- `bound_claims_type`: `glob`
- `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
```json
{"sub": "repo:<orgName>/*"}
```
- `bound_claims`: JSON object. Maps one or more claim names to corresponding wildcard values.
```json
{ "sub": "repo:<orgName>/*" }
```
- For exact matches, use `bound_subject`.
@ -155,17 +158,17 @@ Configure a [Vault role](https://www.vaultproject.io/api/auth/jwt#create-role) f
</details>
__GitHub Actions Workflow__
**GitHub Actions Workflow**
In the GitHub Actions workflow, the workflow needs permissions to read contents
and write the ID token.
```yaml
jobs:
retrieve-secret:
permissions:
contents: read
id-token: write
retrieve-secret:
permissions:
contents: read
id-token: write
```
In the action, provide the name of the Vault role you created to the `role` parameter.
@ -320,7 +323,7 @@ with:
The `secrets` parameter is a set of multiple secret requests separated by the `;` character.
Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name.
Each secret request consists of the `path` and the `key` of the desired secret, and optionally the desired Env Var output name.
Note that the selector is using [JSONata](https://docs.jsonata.org/overview.html) and certain characters in keys may need to be escaped.
```raw
@ -333,7 +336,7 @@ To retrieve a key `npmToken` from path `secret/data/ci` that has value `somelong
```yaml
with:
secrets: secret/data/ci npmToken
secrets: secret/data/ci npmToken
```
`vault-action` will automatically normalize the given secret selector key, and set the follow as environment variables for the following steps in the current job:
@ -346,12 +349,12 @@ You can also access the secret via outputs:
```yaml
steps:
# ...
- name: Import Secrets
id: secrets
# Import config...
- name: Sensitive Operation
run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
# ...
- name: Import Secrets
id: secrets
# Import config...
- name: Sensitive Operation
run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
```
_**Note:** If you'd like to only use outputs and disable automatic environment variables, you can set the `exportEnv` option to `false`._
@ -362,7 +365,7 @@ However, if you want to set it to a specific name, say `NPM_TOKEN`, you could do
```yaml
with:
secrets: secret/data/ci npmToken | NPM_TOKEN
secrets: secret/data/ci npmToken | NPM_TOKEN
```
With that, `vault-action` will now use your requested name and output:
@ -379,7 +382,6 @@ steps:
# Import config...
- name: Sensitive Operation
run: "my-cli --token '${{ steps.secrets.outputs.NPM_TOKEN }}'"
```
### Multiple Secrets
@ -388,16 +390,17 @@ This action can take multi-line input, so say you had your AWS keys stored in a
```yaml
with:
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
```
You can specify a wildcard * for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name:
You can specify a wildcard \* for the key name to get all keys in the path. If you provide an output name with the wildcard, the name will be prepended to the key name:
```yaml
with:
secrets: |
secret/data/ci/aws * | MYAPP_ ;
secrets: |
secret/data/ci/aws * | MYAPP_ ;
```
### KV secrets engine version 2
@ -450,9 +453,9 @@ For example, to request a secret from the `cubbyhole` secret engine:
```yaml
with:
secrets: |
/cubbyhole/foo foo ;
/cubbyhole/foo zip | MY_KEY ;
secrets: |
/cubbyhole/foo foo ;
/cubbyhole/foo zip | MY_KEY ;
```
Resulting in:
@ -480,12 +483,12 @@ If you ever need to add extra headers to the vault request, say if you need to a
```yaml
with:
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
extraHeaders: |
X-Secure-Id: ${{ secrets.SECURE_ID }}
X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY
extraHeaders: |
X-Secure-Id: ${{ secrets.SECURE_ID }}
X-Secure-Secret: ${{ secrets.SECURE_SECRET }}
```
This will automatically add the `x-secure-id` and `x-secure-secret` headers to every request to Vault.
@ -503,18 +506,18 @@ parameter specifying the namespace. In HCP Vault, the namespace defaults to `adm
```yaml
steps:
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VAULT_TOKEN }}
namespace: admin
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VAULT_TOKEN }}
namespace: admin
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
secret/data/ci npm_token
```
Alternatively, you may need to authenticate to the root namespace and retrieve
@ -523,17 +526,17 @@ parameter. Instead set the namespace in the secret path. For example, `<NAMESPAC
```yaml
steps:
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
namespace-1/secret/data/ci npm_token
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
namespace-1/secret/data/ci npm_token
```
## Reference
@ -726,9 +729,10 @@ To make it simpler to consume certain secrets as env vars, if no Env/Output Var
## Contributing
If you wish to contribute to this project, the following dependencies are recommended for local development:
- [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to install dependencies, build project and run tests
- [docker](https://docs.docker.com/get-docker/) to run the pre-configured vault containers for acceptance tests
- [docker-compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
- [docker compose](https://docs.docker.com/compose/) to spin up the pre-configured vault containers for acceptance tests
- [act](https://github.com/nektos/act) to run the vault-action locally
### Build
@ -741,11 +745,11 @@ $ npm install && npm run build
### Vault test instance
The Github Action needs access to a working Vault instance to function.
The Github Action needs access to a working Vault instance to function.
Multiple docker configurations are available via the docker-compose.yml file to run containers compatible with the various acceptance test suites.
```sh
$ docker-compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
$ docker compose up -d vault # Choose one of: vault, vault-enterprise, vault-tls depending on which tests you would like to run
```
Instead of using one of the dockerized instance, you can also use your own local or remote Vault instance by exporting these environment variables: