docs: add namespace example to readme (#562)
* docs: add namespace example to readme * fix integration test jwt audience
This commit is contained in:
John-Michael Faircloth
committed by
GitHub
GitHub
parent
148ee648cc
commit
8b7eaceb79
20
README.md
20
README.md
@@ -486,7 +486,6 @@ steps:
|
||||
uses: hashicorp/vault-action
|
||||
with:
|
||||
url: https://vault-enterprise.mycompany.com:8200
|
||||
caCertificate: ${{ secrets.VAULT_CA_CERT }}
|
||||
method: token
|
||||
token: ${{ secrets.VAULT_TOKEN }}
|
||||
namespace: admin
|
||||
@@ -496,6 +495,25 @@ steps:
|
||||
secret/data/ci npm_token
|
||||
```
|
||||
|
||||
Alternatively, you may need to authenticate to the root namespace and retrieve
|
||||
a secret from a different namespace. To do this, do not set the `namespace`
|
||||
parameter. Instead set the namespace in the secret path. For example, `<NAMESPACE>/secret/data/app`:
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
# ...
|
||||
- name: Import Secrets
|
||||
uses: hashicorp/vault-action
|
||||
with:
|
||||
url: https://vault-enterprise.mycompany.com:8200
|
||||
method: token
|
||||
token: ${{ secrets.VAULT_TOKEN }}
|
||||
secrets: |
|
||||
namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
|
||||
namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
|
||||
namespace-1/secret/data/ci npm_token
|
||||
```
|
||||
|
||||
## Reference
|
||||
|
||||
Here are all the inputs available through `with`:
|
||||
|
||||
@@ -97,6 +97,8 @@ describe('jwt auth', () => {
|
||||
}
|
||||
});
|
||||
|
||||
// write the jwt config, the jwt role will be written on a per-test
|
||||
// basis since the audience may vary
|
||||
await got(`${vaultUrl}/v1/auth/jwt/config`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
@@ -108,22 +110,6 @@ describe('jwt auth', () => {
|
||||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/secret/data/test`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
@@ -138,6 +124,24 @@ describe('jwt auth', () => {
|
||||
});
|
||||
|
||||
describe('authenticate with private key', () => {
|
||||
beforeAll(async () => {
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
beforeEach(() => {
|
||||
jest.resetAllMocks();
|
||||
|
||||
@@ -170,6 +174,22 @@ describe('jwt auth', () => {
|
||||
|
||||
describe('authenticate with Github OIDC', () => {
|
||||
beforeAll(async () => {
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-Vault-Token': vaultToken,
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: 'https://github.com/hashicorp/vault-action',
|
||||
bound_claims: {
|
||||
iss: 'vault-action'
|
||||
},
|
||||
user_claim: 'iss',
|
||||
policies: ['reader']
|
||||
}
|
||||
});
|
||||
|
||||
await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
@@ -177,7 +197,7 @@ describe('jwt auth', () => {
|
||||
},
|
||||
json: {
|
||||
role_type: 'jwt',
|
||||
bound_audiences: null,
|
||||
bound_audiences: 'sigstore',
|
||||
bound_claims: {
|
||||
iss: 'vault-action',
|
||||
aud: 'sigstore',
|
||||
|
||||
Reference in New Issue
Block a user