actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 07:06:56 +00:00
Code Activity Actions

Update doc for TLS (#103)

Browse source
This commit is contained in:
Jason O'Donnell 2020-08-12 11:53:00 -04:00 committed by GitHub
parent a214c8c65a
commit c8b383ee4e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
README.md
View file

@ -40,6 +40,7 @@ jobs:
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VaultToken }}
caCertificate: ${{ secrets.VAULTCA }}
secrets: |
secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
@ -57,6 +58,7 @@ While most workflows will likely use a vault token, you can also use an `approle
with:
url: https://vault.mycompany.com:8200
token: ${{ secrets.VaultToken }}
caCertificate: ${{ secrets.VAULTCA }}
```
- **approle**: you must provide a `roleId` & `secretId` parameter
```yaml
@ -66,6 +68,7 @@ with:
method: approle
roleId: ${{ secrets.roleId }}
secretId: ${{ secrets.secretId }}
caCertificate: ${{ secrets.VAULTCA }}
```
- **github**: you must provide the github token as `githubToken`
```yaml
@ -74,6 +77,7 @@ with:
url: https://vault.mycompany.com:8200
method: github
githubToken: ${{ secrets.GITHUB_TOKEN }}
caCertificate: ${{ secrets.VAULTCA }}
```
If any other method is specified and you provide an `authPayload`, the action will attempt to `POST` to `auth/${method}/login` with the provided payload and parse out the client token.
@ -220,6 +224,7 @@ steps:
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
caCertificate: ${{ secrets.VAULTCA }}
token: ${{ secrets.VaultToken }}
namespace: ns1
secrets: |
@ -233,7 +238,7 @@ steps:
Here are all the inputs available through `with`:
| Input | Description | Default | Required |
| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- |
| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- |
| `url` | The URL for the vault endpoint | | ✔ |
| `secrets` | A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details | | ✔ |
| `namespace` | The Vault namespace from which to query secrets. Vault Enterprise only, unset by default | | |
@ -245,6 +250,10 @@ Here are all the inputs available through `with`:
| `authPayload` | The JSON payload to be sent to Vault when using a custom authentication method. | | |
| `extraHeaders` | A string of newline separated extra headers to include on every request. | | |
| `exportEnv` | Whether or not export secrets as environment variables. | `true` | |
| `caCertificate` | Base64 encoded CA certificate the server certificate was signed with. | | |
| `clientCertificate` | Base64 encoded client certificate the action uses to authenticate with Vault when mTLS is enabled. | | |
| `clientKey` | Base64 encoded client key the action uses to authenticate with Vault when mTLS is enabled. | | |
| `tlsSkipVerify` | When set to true, disables verification of server certificates when testing the action. | `false` | |
## Masking - Hiding Secrets from Logs