Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ENH] - Use GitHub secrets instead of Vault #2835

Open
marcelovilla opened this issue Nov 8, 2024 · 1 comment
Open

[ENH] - Use GitHub secrets instead of Vault #2835

marcelovilla opened this issue Nov 8, 2024 · 1 comment
Assignees

Comments

@marcelovilla
Copy link
Member

Feature description

We're currently relying on Vault, hosted on HashiCorp Cloud Platform, to read secrets for our GHA workflows. For example:

- name: Retrieve secret from Vault
uses: hashicorp/[email protected]
with:
method: jwt
url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
namespace: "admin/quansight"
role: "repository-nebari-dev-nebari-role"
secrets: |
kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name | AWS_ROLE_ARN;
kv/data/repository/nebari-dev/nebari/cloudflare/[email protected]/nebari-dev-ci token | CLOUDFLARE_TOKEN;

In the previous months, our Vault configuration has broken, resulting in failing GHA jobs when trying to read secrets. Here's a recent example: https://github.com/nebari-dev/nebari/actions/runs/11628815929/job/32384643624#step:5:32

I think we could simplify our secret management logic and use GitHub secrets instead.

Value and/or benefit

Migrating from Vault to GitHub secrets would reduce the maintenance burden and avoid jobs failing because of a broken Vault configuration.

Anything else?

No response

@Adam-D-Lewis
Copy link
Member

Adam-D-Lewis commented Nov 11, 2024

We talked about this in the maintainers meeting this morning and were in favor of this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: New 🚦
Development

No branches or pull requests

3 participants