From 74fdbf5fd0cda84aece1f7eefd4a871ae85ea883 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Fri, 2 Feb 2024 13:16:13 +0300
Subject: [PATCH] Update README.md

---
 vault-token/README.md | 44 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/vault-token/README.md b/vault-token/README.md
index 6d91d75..126cec5 100644
--- a/vault-token/README.md
+++ b/vault-token/README.md
@@ -3,6 +3,7 @@ display_name: Hashicorp Vault Integration (Token)
 description: Authenticates with Vault using Token
 icon: ../.icons/vault.svg
 maintainer_github: coder
+partner_github: hashicorp
 verified: true
 tags: [helper, integration, vault, token]
 ---
@@ -12,11 +13,17 @@ tags: [helper, integration, vault, token]
 This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using a [Vault token](https://developer.hashicorp.com/vault/docs/auth/token).
 
 ```tf
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication."
+  sensitive   = true
+}
+
 module "vault" {
   source      = "registry.coder.com/modules/vault-token/coder"
-  version     = "1.0.2"
+  version     = "1.0.3"
   agent_id    = coder_agent.example.id
-  vault_token = "s.1234567890"
+  vault_token = var.token
   vault_addr  = "https://vault.example.com"
 }
 ```
@@ -24,31 +31,54 @@ module "vault" {
 Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:
 
 ```shell
-vault kv get -mount=secret my-secret
+vault kv get -mount=coder my-secret
 ```
 
 or using the Vault API:
 
 ```shell
-curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/secret/data/my-secret"
+curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/data/my-secret"
 ```
 
-![Vault login](../.images/vault-login.png)
-
 ## Configuration
 
 To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address.
 
+1. Create a vault policy `read-coder-secrets.hcl` with read access to the secret mount you need your developers to access.
+   ```hcl
+   path "coder/data/*" {
+     capabilities = ["read"]
+   }
+   path "coder/metadata/*" {
+     capabilities = ["read"]
+   }
+   ```
+   ```shell
+   vault policy write read-coder-secrets ead-coder-secrets.hcl
+   ```
+2. Create a token using this policy.
+   ```shell
+   vault token create -policy="read-coder-secrets"
+   ```
+3. Copy the generated and use in your template. 
+
 ## Examples
 
 ### Configure Vault integration and install a specific version of the Vault CLI
 
 ```tf
+variable "vault_token" {
+  type        = string
+  description = "The Vault token to use for authentication."
+  sensitive   = true
+}
+
 module "vault" {
   source            = "registry.coder.com/modules/vault-token/coder"
-  version           = "1.0.2"
+  version           = "1.0.3"
   agent_id          = coder_agent.example.id
   vault_addr        = "https://vault.example.com"
+  vault_token       = var.token
   vault_cli_version = "1.15.0"
 }
 ```