To connect to HashiCorp Vault from GitHub Actions using OIDC (OpenID Connect), you can leverage the hashicorp/vault-action
to simplify the process. OIDC allows your workflow to authenticate to Vault without managing long-lived credentials, making it secure and ideal for CI/CD pipelines.
Example Vault policy and role configuration:
# Create an OIDC role for GitHub Actions
vault write auth/jwt/role/github-actions \
bound_issuer=https://token.actions.githubusercontent.com \
user_claim=repository \
bound_claims_format=glob \
bound_claims={"repository":"<your_org_or_repo>/*"} \
token_policies=github-actions-policy \
ttl=1h
# Define the policy to grant access
vault policy write github-actions-policy - <<EOF
path "some/path/github/sub/folder/*" {
capabilities = ["read"]
}
EOF
https://token.actions.githubusercontent.com
.jwt
auth method in Vault:
vault auth enable jwt
Below is an example GitHub Actions workflow to authenticate to Vault using OIDC:
name: Retrieve Secret from Vault with OIDC
on:
workflow_dispatch:
jobs:
oidc-to-vault:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC
contents: read # Default read permissions
steps:
- name: Retrieve Vault Objects
uses: hashicorp/vault-action@3
with:
url: https://vault.example.com
method: jwt
path: jwt_mypath
role: my-github-actions
secrets: |
some/data/path/github/sub/folder/target-object Field_Within_Object | MYSECRET1 ;
- name: Use the secret
run: |
printf "MYSECRET1 hint = ${MYSECRET1:0:4}"
permissions
block, set:
permissions:
id-token: write
This allows GitHub Actions to request an OIDC token to authenticate with Vault.
hashicorp/vault-action
Configuration:
method: oidc
input specifies OIDC authentication.role: my-github-actions
maps to the Vault role created earlier (auth/jwt/role/github-actions
).https://token.actions.githubusercontent.com
) and uses it to authenticate with Vault.To recap, ensure the following is configured in Vault:
vault auth enable jwt
vault write auth/jwt/role/my-github-actions\
bound_issuer=https://token.actions.githubusercontent.com \
user_claim=repository \
bound_claims_format=glob \
bound_claims={"repository":"<your_org_or_repo>/*"} \
token_policies=github-actions-policy \
ttl=1h
path "some/path/github/sub/folder/*" {
capabilities = ["read"]
}
bound_claims
.Reference