actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 15:16:56 +00:00
Code Activity Actions

Update doc for TLS (#103)

Browse source
This commit is contained in:
Jason O'Donnell 2020-08-12 11:53:00 -04:00 committed by GitHub
parent a214c8c65a
commit c8b383ee4e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
README.md
View file

@ -40,6 +40,7 @@ jobs:
with: with:
url: https://vault.mycompany.com:8200 url: https://vault.mycompany.com:8200
token: ${{ secrets.VaultToken }} token: ${{ secrets.VaultToken }}
caCertificate: ${{ secrets.VAULTCA }}
secrets: | secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ; secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
@ -57,6 +58,7 @@ While most workflows will likely use a vault token, you can also use an `approle
with: with:
url: https://vault.mycompany.com:8200 url: https://vault.mycompany.com:8200
token: ${{ secrets.VaultToken }} token: ${{ secrets.VaultToken }}
caCertificate: ${{ secrets.VAULTCA }}
``` ```
- **approle**: you must provide a `roleId` & `secretId` parameter - **approle**: you must provide a `roleId` & `secretId` parameter
```yaml ```yaml
@ -66,6 +68,7 @@ with:
method: approle method: approle
roleId: ${{ secrets.roleId }} roleId: ${{ secrets.roleId }}
secretId: ${{ secrets.secretId }} secretId: ${{ secrets.secretId }}
caCertificate: ${{ secrets.VAULTCA }}
``` ```
- **github**: you must provide the github token as `githubToken` - **github**: you must provide the github token as `githubToken`
```yaml ```yaml
@ -74,6 +77,7 @@ with:
url: https://vault.mycompany.com:8200 url: https://vault.mycompany.com:8200
method: github method: github
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
``` ```
If any other method is specified and you provide an `authPayload`, the action will attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token. If any other method is specified and you provide an `authPayload`, the action will attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token.
@ -220,6 +224,7 @@ steps:
with: with:
url: https://vault-enterprise.mycompany.com:8200 url: https://vault-enterprise.mycompany.com:8200
method: token method: token
caCertificate: ${{ secrets.VAULTCA }}
token: ${{ secrets.VaultToken }} token: ${{ secrets.VaultToken }}
namespace: ns1 namespace: ns1
secrets: | secrets: |
@ -232,19 +237,23 @@ steps:
Here are all the inputs available through `with`: Here are all the inputs available through `with`:
| Input | Description | Default | Required | | Input | Description | Default | Required |
| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- |
| `url` | The URL for the vault endpoint | | ✔ | | `url` | The URL for the vault endpoint | | ✔ |
| `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | ✔ | | `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | ✔ |
| `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | | | `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | |
| `method` | The method to use to authenticate with Vault. | `token` | | | `method` | The method to use to authenticate with Vault. | `token` | |
| `token` | The Vault Token to be used to authenticate with Vault | | | | `token` | The Vault Token to be used to authenticate with Vault | | |
| `roleId` | The Role Id for App Role authentication | | | | `roleId` | The Role Id for App Role authentication | | |
| `secretId` | The Secret Id for App Role authentication | | | | `secretId` | The Secret Id for App Role authentication | | |
| `githubToken` | The Github Token to be used to authenticate with Vault | | | | `githubToken` | The Github Token to be used to authenticate with Vault | | |
| `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | | | `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | |
| `extraHeaders` | A string of newline separated extra headers to include on every request. | | | | `extraHeaders` | A string of newline separated extra headers to include on every request. | | |
| `exportEnv` | Whether or not export secrets as environment variables. | `true` | | | `exportEnv` | Whether or not export secrets as environment variables. | `true` | |
| `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | |
| `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | |
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
## Masking - Hiding Secrets from Logs ## Masking - Hiding Secrets from Logs