Update README.md

1 year ago · 74fdbf5fd0
parent 36b4983eb0
commit 74fdbf5fd0
1 changed files with 37 additions and 7 deletions
--- a/vault-token/README.md
+++ b/vault-token/README.md
@ -3,6 +3,7 @@ display_name: Hashicorp Vault Integration (Token)
 description: Authenticates with Vault using Token
 icon: ../.icons/vault.svg
 maintainer_github: coder
+partner_github: hashicorp
 verified: true
 tags: [helper, integration, vault, token]
 ---
@ -12,11 +13,17 @@ tags: [helper, integration, vault, token]
 This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using a [Vault token](https://developer.hashicorp.com/vault/docs/auth/token).

 ```tf
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication."
+  sensitive   = true
+}
+
 module "vault" {
  source      = "registry.coder.com/modules/vault-token/coder"
-  version     = "1.0.2"
+  version     = "1.0.3"
  agent_id    = coder_agent.example.id
-  vault_token = "s.1234567890"
+  vault_token = var.token
  vault_addr  = "https://vault.example.com"
 }
 ```
@ -24,31 +31,54 @@ module "vault" {
 Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:

 ```shell
-vault kv get -mount=secret my-secret
+vault kv get -mount=coder my-secret
 ```

 or using the Vault API:

 ```shell
-curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/secret/data/my-secret"
+curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/data/my-secret"
 ```

-![Vault login](../.images/vault-login.png)
-
 ## Configuration

 To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address.

+1. Create a vault policy `read-coder-secrets.hcl` with read access to the secret mount you need your developers to access.
+   ```hcl
+   path "coder/data/*" {
+     capabilities = ["read"]
+   }
+   path "coder/metadata/*" {
+     capabilities = ["read"]
+   }
+   ```
+   ```shell
+   vault policy write read-coder-secrets ead-coder-secrets.hcl
+   ```
+2. Create a token using this policy.
+   ```shell
+   vault token create -policy="read-coder-secrets"
+   ```
+3. Copy the generated and use in your template. 
+
 ## Examples

 ### Configure Vault integration and install a specific version of the Vault CLI

 ```tf
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication."
+  sensitive   = true
+}
+
 module "vault" {
  source            = "registry.coder.com/modules/vault-token/coder"
-  version           = "1.0.2"
+  version           = "1.0.3"
  agent_id          = coder_agent.example.id
  vault_addr        = "https://vault.example.com"
+  vault_token       = var.token
  vault_cli_version = "1.15.0"
 }
 ```