This action acquires an approle token from vault through the Broker API. This allows the team to read secrets through the GitHub action pipeline.
This is useful in CI/CD pipelines where you need to access a secret, get a vault token or anything vault related.
This tool is currently based on the existing documentation provided by 1team.
1. Discussion with 1team/DBA to start the onboarding process on vault.
2. Project setup is done for 3 envs development, test and production.
3. The provision_role_id is environment specific and should be stored in as secrets in the github repository.
4. The broker_jwt is global and NOT environment specific and should be stored in as secrets in the github repository.
- uses: bcgov-nr/action-vault-broker-approle@main
with:
### Required
# Broker JWT Token
broker_jwt: The JWT to be used on the broker
# Role ID for Provision
provision_role_id: The id of the role to be used during provisioning
# Project name on vault
project_name: Name of the project on vault, Ex. client
# Application name on vault
app_name: Name of the app on vault, Ex. app-client
# Vault environment
environment: Name of the vault environment, Ex. development
### Usually a bad idea / not recommended
# Overrides the default branch to diff against
# Defaults to the default branch, usually `main`
diff_branch: ${{ github.event.repository.default_branch }}
# Repository to clone and process
# Useful for consuming other repos, like in testing
# Defaults to the current one
repository: ${{ github.repository }}
# Broker server address
# Useful when consuming from a test server or other environment
broker_url: https://nr-broker.apps.silver.devops.gov.bc.ca
# Vault server address
# Useful when interacting with other instances of vault
vault_addr: https://vault-iit.apps.silver.devops.gov.bc.ca
Read a secret from the vault
Create or modify a GitHub workflow, like below. E.g. ./github/workflows/pr-open.yml
name: Pull Request
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
builds:
permissions:
packages: write
runs-on: ubuntu-22.04
env:
project_name: super
app_name: app-super
environment: development
secret_path_env: dev # this path is different from the path in the broker
steps:
- uses: actions/checkout@v3
- name: Broker
id: broker
uses: bcgov-nr/action-vault-broker-approle@main
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
project_name: ${{ env.project_name }}
app_name: ${{ env.app_name }}
environment: ${{ env.environment }}
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2.5.0
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/super_secrets username | SECRET_USER;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/super_secrets password | SECRET_PWD;
If a token is acquired this action will output the token value as the vault_token
.
See examples above.