Skip to content
/ action-broker-vault-provision Public

This action calls the Broker API to provision a secret for use by an application to login using Vault.

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bcgov-nr/action-broker-vault-provision

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
vault-provision.sh
vault-provision.sh
 
 

Repository files navigation

Broker Action Vault Provision V2

This action calls the Broker API to provision a secret for use by an application to login to Vault together with the service's role id. See: Vault API - Login with AppRole

This action is provided to illustrate how to call the Broker API. The Vault Login Action may be a better choice.

Vault Login or Vault Provision

This action creates an AppRole secret which can be used to login and create a Vault token that can be renewed. This is required if you want your service to have continuous access to a database protected by a dynamic (rotated) secret (See: Vault database engine). Otherwise, you would only be able to start a service that could access the database using that dynamic secret for the duration of the intention.

Each invocation of this action should, at most, provision a single instance of a service. How a service is provisioned should not create a scenario where its token outlives the service instance. If multiple service instances are provisioned with the same token from a single invocation, an immortal shared token (if each individual service renews the same token) is created. Secure token renewal depends on the token expiring (relatively) quickly once a service instance is stopped.

In almost all situations, a GitHub Action should be using the Vault Login Action instead.

Broker Documentation

Please refer to the NR Broker Repository for full usage details.

Usage

- uses: bcgov-nr/action-broker-vault-revoke@v2
  with:
    # The token of the action containing the service to use to login as
    action_token: ''

    # The broker url.
    # Default: 'https://broker.io.nrs.gov.bc.ca'
    broker_url: ''

    # The service's application role id in vault. Setting this is recommended to avoid environment mismatch.
    role_id: ''

    # The vault url.
    # Default: https://knox.io.nrs.gov.bc.ca
    vault_url: ''

Output

This action outputs the wrapped Vault secret id as an environment variable.

WRAPPED_VAULT_APPROLE_SECRET_ID_TOKEN

This is a wrapped Vault secret id that can be used to access the service's secrets by logging in using the AppRole. The unwrapping API (/v1/sys/wrapping/unwrap) will return the secret id as the field, secret_id.

License

The scripts and documentation in this project are released under the Apache License

About

This action calls the Broker API to provision a secret for use by an application to login using Vault.

Topics

nr-broker-action

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

v2 Latest
Apr 10, 2024
+ 1 release

Languages