mirror of
https://github.com/hashicorp/vault-action.git
synced 2025-11-07 07:06:56 +00:00
docs: add namespace example to readme (#562)
* docs: add namespace example to readme * fix integration test jwt audience
This commit is contained in:
John-Michael Faircloth
GitHub
parent
148ee648cc
commit
8b7eaceb79
2 changed files with 56 additions and 18 deletions
20
README.md
20
README.md
|
|
@ -486,7 +486,6 @@ steps:
|
|||
uses: hashicorp/vault-action
|
||||
with:
|
||||
url: https://vault-enterprise.mycompany.com:8200
|
||||
caCertificate: ${{ secrets.VAULT_CA_CERT }}
|
||||
method: token
|
||||
token: ${{ secrets.VAULT_TOKEN }}
|
||||
namespace: admin
|
||||
|
|
@ -496,6 +495,25 @@ steps:
|
|||
secret/data/ci npm_token
|
||||
```
|
||||
|
||||
Alternatively, you may need to authenticate to the root namespace and retrieve
|
||||
a secret from a different namespace. To do this, do not set the `namespace`
|
||||
parameter. Instead set the namespace in the secret path. For example, `<NAMESPACE>/secret/data/app`:
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
# ...
|
||||
- name: Import Secrets
|
||||
uses: hashicorp/vault-action
|
||||
with:
|
||||
url: https://vault-enterprise.mycompany.com:8200
|
||||
method: token
|
||||
token: ${{ secrets.VAULT_TOKEN }}
|
||||
secrets: |
|
||||
namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
|
||||
namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
|
||||
namespace-1/secret/data/ci npm_token
|
||||
```
|
||||
|
||||
## Reference
|
||||
|
||||
Here are all the inputs available through `with`:
|
||||
|
|
|
|||
|
|
@ -97,6 +97,8 @@ describe('jwt auth', () => {
|
|||
}
|
||||
});
|
||||
|
||||
// write the jwt config, the jwt role will be written on a per-test
|
||||
// basis since the audience may vary
|
||||
await got(`${vaultUrl}/v1/auth/jwt/config`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
|
|
@ -108,22 +110,6 @@ describe('jwt auth', () => {
|
|||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/secret/data/test`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
|
|
@ -138,6 +124,24 @@ describe('jwt auth', () => {
|
|||
});
|
||||
|
||||
describe('authenticate with private key', () => {
|
||||
beforeAll(async () => {
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
jest.resetAllMocks();
|
||||
|
||||
|
|
@ -170,6 +174,22 @@ describe('jwt auth', () => {
|
|||
|
||||
describe('authenticate with Github OIDC', () => {
|
||||
beforeAll(async () => {
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: 'https://github.com/hashicorp/vault-action',
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
|
|
@ -177,7 +197,7 @@ describe('jwt auth', () => {
|
|||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_audiences: 'sigstore',
|
||||
bound_claims: {
|
||||
iss: 'vault-action',
|
||||
aud: 'sigstore',
|
||||
|
|
|
|||
Loading…
Reference in a new issue