Skip to content

Commit

Permalink
docs: add namespace example to readme (hashicorp#562)
Browse files Browse the repository at this point in the history 
* docs: add namespace example to readme

* fix integration test jwt audience
  • Loading branch information
@fairclothjm
fairclothjm authored Aug 1, 2024
1 parent 148ee64 commit 8b7eace
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 18 deletions.
20 changes: 19 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -486,7 +486,6 @@ steps:
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
caCertificate: ${{ secrets.VAULT_CA_CERT }}
method: token
token: ${{ secrets.VAULT_TOKEN }}
namespace: admin
Expand All @@ -496,6 +495,25 @@ steps:
secret/data/ci npm_token
```

Alternatively, you may need to authenticate to the root namespace and retrieve
a secret from a different namespace. To do this, do not set the `namespace`
parameter. Instead set the namespace in the secret path. For example, `<NAMESPACE>/secret/data/app`:

```yaml
steps:
# ...
- name: Import Secrets
uses: hashicorp/vault-action
with:
url: https://vault-enterprise.mycompany.com:8200
method: token
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
namespace-1/secret/data/ci npm_token
```

## Reference

Here are all the inputs available through `with`:
Expand Down
54 changes: 37 additions & 17 deletions integrationTests/basic/jwt_auth.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,8 @@ describe('jwt auth', () => {
}
});

// write the jwt config, the jwt role will be written on a per-test
// basis since the audience may vary
await got(`${vaultUrl}/v1/auth/jwt/config`, {
method: 'POST',
headers: {
Expand All @@ -108,22 +110,6 @@ describe('jwt auth', () => {
}
});

await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_claims: {
iss: 'vault-action'
},
user_claim: 'iss',
policies: ['reader']
}
});

await got(`${vaultUrl}/v1/secret/data/test`, {
method: 'POST',
headers: {
Expand All @@ -138,6 +124,24 @@ describe('jwt auth', () => {
});

describe('authenticate with private key', () => {
beforeAll(async () => {
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_claims: {
iss: 'vault-action'
},
user_claim: 'iss',
policies: ['reader']
}
});
});

beforeEach(() => {
jest.resetAllMocks();

Expand Down Expand Up @@ -170,14 +174,30 @@ describe('jwt auth', () => {

describe('authenticate with Github OIDC', () => {
beforeAll(async () => {
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
bound_audiences: 'https://github.com/hashicorp/vault-action',
bound_claims: {
iss: 'vault-action'
},
user_claim: 'iss',
policies: ['reader']
}
});

await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
method: 'POST',
headers: {
'X-Vault-Token': vaultToken,
},
json: {
role_type: 'jwt',
bound_audiences: null,
bound_audiences: 'sigstore',
bound_claims: {
iss: 'vault-action',
aud: 'sigstore',
Expand Down

0 comments on commit 8b7eace

Please sign in to comment.