actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-11 17:03:49 +00:00
Code Activity Actions
vault-action/action.yml
Max Wagner 05074af563 Add option to retry Vault Token retrieval 
Sometimes we might encounter errors when retrieving the Vault token
using a method like JWT. In those cases, the action does not retry the
request today because the got package does not try POST requests by default.

This change adds an option called retryVaultTokenRetrieval that will
add the POST method to the retriable methods got uses. The post method
is not used in any other place in this action, so having the POST method
added to the defaultOptions seems okay for now.
2023-04-03 21:04:49 +00:00

90 lines
3.4 KiB
YAML
Raw Blame History

name: 'Vault Secrets'
description: 'A Github Action that allows you to consume HashiCorp Vaultâ„¢ secrets as secure environment variables'
inputs:
url:
description: 'The URL for the vault endpoint'
required: true
secrets:
description: 'A semicolon-separated list of secrets to retrieve. These will automatically be converted to environmental variable keys. See README for more details'
required: false
namespace:
description: 'The Vault namespace from which to query secrets. Vault Enterprise only, unset by default'
required: false
method:
description: 'The method to use to authenticate with Vault.'
default: 'token'
required: false
role:
description: 'Vault role for specified auth method'
required: false
path:
description: 'Custom Vault path, if the auth method was mounted at a different path'
required: false
token:
description: 'The Vault Token to be used to authenticate with Vault'
required: false
roleId:
description: 'The Role Id for App Role authentication'
required: false
secretId:
description: 'The Secret Id for App Role authentication'
required: false
githubToken:
description: 'The Github Token to be used to authenticate with Vault'
required: false
kubernetesTokenPath:
description: 'The path to the Kubernetes service account secret'
required: false
default: '/var/run/secrets/kubernetes.io/serviceaccount/token'
authPayload:
description: 'The JSON payload to be sent to Vault when using a custom authentication method.'
required: false
extraHeaders:
description: 'A string of newline separated extra headers to include on every request.'
required: false
exportEnv:
description: 'Whether or not export secrets as environment variables.'
default: 'true'
required: false
exportToken:
description: 'Whether or not export Vault token as environment variables.'
default: 'false'
required: false
caCertificate:
description: 'Base64 encoded CA certificate to verify the Vault server certificate.'
required: false
clientCertificate:
description: 'Base64 encoded client certificate for mTLS communication with the Vault server.'
required: false
clientKey:
description: 'Base64 encoded client key for mTLS communication with the Vault server.'
required: false
tlsSkipVerify:
description: 'When set to true, disables verification of the Vault server certificate. Setting this to true in production is not recommended.'
required: false
default: 'false'
jwtPrivateKey:
description: 'Base64 encoded Private key to sign JWT'
required: false
jwtKeyPassword:
description: 'Password for key stored in jwtPrivateKey (if needed)'
required: false
jwtGithubAudience:
description: 'Identifies the recipient ("aud" claim) that the JWT is intended for'
required: false
jwtTtl:
description: 'Time in seconds, after which token expires'
required: false
default: 3600
secretEncodingType:
description: 'The encoding type of the secret to decode. If not specified, the secret will not be decoded. Supported values: base64, hex, utf8'
required: false
retryVaultTokenRetrieval:
description: 'Enable retrying retrieval of Vault server tokens. If not specified the token request to the Vault server will only be tried once.'
required: false
runs:
using: 'node16'
main: 'dist/index.js'
branding:
icon: 'unlock'
color: 'gray-dark'
View git blame Copy permalink