GitHub Actions#
Hashicorp Vault can be used as a secrets provider for GitHub Actions. This is the preferred method to store secrets for GitHub actions. The GitHub action can use a JWT token for authentication and authorization to vault which eliminates the need for secret zero.
The following provides examples for either setting this up with one role and policy that all actions in your GitHub Organization (i.e. umn-secm) can utilize to access a global secrets directory within vault, or creating individual roles for each repository with more fine grained access to directories in vault.
Note
Each used role counts as a client for Vault licensing. Please balance the need for secrets isolation and principal of least access with the number of roles and thus licenses your team utilizes. Reach out to the secrets management team for specific guidance.
Sample terraform for setting up vault as a secrets provider for GitHub Actions
Auth Method#
In order to use GitHub Actions, a JWT auth method will need to be enabled in your namespace. This can either be done via the vault CLI or terraform
Terraform: See hcp-vault-terraform-examples/github_actions/jwt-github.tf
CLI:
# Enable the JWT auth backend
vault auth enable -path jwt-github-actions jwt
# Configure the JWT auth backend
vault write auth/jwt-github-actions/config \
description="JWT backend for Github Actions" \
oidc_discovery_url="https://token.actions.githubusercontent.com" \
bound_issuer="https://token.actions.githubusercontent.com"
Policy#
GitHub Org Global Policy#
This policy will give actions in all repositories within a GitHub organization read access to secrets at secret/github_actions/global/*
Terraform: See hcp-vault-terraform-examples/github_actions/jwt-github-policy.tf & hcp-vault-terraform-examples/github_actions/jwt-github-policy.tf
CLI:
vault policy write global_github_actions_access_policy - <<EOF
path "secret/data/github_actions/global/*" {
capabilities = ["read"]
}
EOF
GitHub Repo Specific Policy#
This policy will give actions in the hcp-vault-terraform-examples repository read access to secrets at secret/github_actions/hcp-vault-terraform-examples/*
Terraform: See hcp-vault-terraform-examples/github_actions/jwt-github-policy.tf & hcp-vault-terraform-examples/github_actions/jwt-github-policy.tf
CLI:
vault policy write hcp-vault-terraform-examples_actions_access_policy - <<EOF
path "secret/data/github_actions/hcp-vault-terraform-examples_actions/*" {
capabilities = ["read"]
}
EOF
Role#
A role is what is used by vault to associate a GitHub organization or repository with a policy in vault allowing access to certain secrets.
GitHub Org Global Role#
Terraform: See hcp-vault-terraform-examples/github_actions/jwt-github.tf
CLI:
vault write auth/jwt-github-actions/role/global_github_actions - <<EOF
{
"role_type": "jwt",
"token_policies": [
"default",
"global_github_actions_access_policy"
],
"user_claim": "actor",
"token_ttl": 600,
"bound_audiences": ["https://github.com/umn-secm"],
"bound_claims_type": "glob",
"bound_claims": {
"repository": "umn-secm/*"
}
}
EOF
GitHub Repo Specific Roles#
Terraform: See hcp-vault-terraform-examples/github_actions/jwt-github.tf
CLI:
vault write auth/jwt-github-actions/role/hcp-vault-terraform-examples_github_actions - <<EOF
{
"role_type": "jwt",
"token_policies": [
"default",
"hcp-vault-terraform-examples_github_actions_access_policy"
],
"user_claim": "actor",
"token_ttl": 600,
"bound_audiences": ["https://github.com/umn-secm"],
"bound_claims_type": "glob",
"bound_claims": {
"repository": "umn-secm/hcp-vault-terraform-examples"
}
}
EOF
GitHub Actions Sample File#
See either the example in SECM's example actions file or DevEx Actions Example Repository