publicWagsHome
/
modules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

add vault-github auth

Browse Source
pull/105/head
Muhammad Atif Ali 2 years ago
parent 913e033cc7
commit 762041eb87
3 changed files with 50 additions and 50 deletions
Show Stats Download Patch File Download Diff File

59
vault-github/README.md
Unescape Escape View File

@ -1,21 +1,19 @@
--- ---
display_name: vault display_name: Hashicorp Vault Integration (GitHub)
description: Authenticates with Vault description: Authenticates with Vault using GitHub
icon: ../.icons/vault.svg icon: ../.icons/vault.svg
maintainer_github: coder maintainer_github: coder
verified: true verified: true
tags: [helper, integration, vault] tags: [helper, integration, vault, github]
--- ---
# Hashicorp Vault # Hashicorp Vault Integration (GitHub)
This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces. This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces using GitHub [external auth](https://coder.com/docs/v2/latest/admin/external-auth).
> **Note:** This module does not cover setting up and configuring Vault auth methods. For that, see the [Vault documentation](https://developer.hashicorp.com/vault/docs/auth).
```hcl ```hcl
module "vault" { module "vault" {
source = "https://registry.coder.com/modules/vault" source = "https://registry.coder.com/modules/vault-github"
agent_id = coder_agent.example.id agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com" vault_addr = "https://vault.example.com"
} }
@ -37,43 +35,30 @@ curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET $VAULT_ADDR/v1/secret/data/my-secre
## Configuration ## Configuration
To configure the Vault module, you must setup a Vault [OIDC Provider](https://developer.hashicorp.com/vault/docs/concepts/oidc-provider) and [configure](https://coder.com/docs/v2/latest/admin/external-auth) Coder to use it. To configure the Vault module, you must set up a Vault GitHub auth method. See the [Vault documentation](https://www.vaultproject.io/docs/auth/github) for more information.
### OIDC Provider in Vault
1. Create a [Vault OIDC Application](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-identity-provider) with name `coder` and set the Redirect URI to `https://coder.example.com/external-auth/vault/callback`.
2. Make note of the `Client ID` and `Client Secret`.
3. Add a provider to OIDC application with name `coder` and set the "Issuer URL" to `$VAULT_ADDR`.
### Coder configuration ## Examples
Add the following to your Coder configuration: ### Configure Vault integration with a different Coder GitHub external auth ID (i.e., not the default `github`)
```env ```hcl
CODER_EXTERNAL_AUTH_0_ID: "vault" module "vault" {
CODER_EXTERNAL_AUTH_0_TYPE: "vault" source = "https://registry.coder.com/modules/vault"
CODER_EXTERNAL_AUTH_0_CLIENT_ID: "XXXXXXXXXX" agent_id = coder_agent.example.id
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET: "XXXXXXXXX" vault_addr = "https://vault.example.com"
CODER_EXTERNAL_AUTH_0_DISPLAY_NAME: "Hashicorp Vault" coder_github_auth_id = "my-github-auth-id"
CODER_EXTERNAL_AUTH_0_DISPLAY_ICON: "/icon/vault.svg" }
CODER_EXTERNAL_AUTH_0_VALIDATE_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/userinfo"
CODER_EXTERNAL_AUTH_0_AUTH_URL: "$VAULT_ADDR/ui/vault/identity/oidc/provider/coder/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/token"
CODER_EXTERNAL_AUTH_0_SCOPES: "openid"
``` ```
> **Note:** Replace `$VAULT_ADDR` with your Vault address. e.g. `https://vault.example.com`. ### Configure Vault integration with a different Coder GitHub external auth ID and a different Vault GitHub auth path
## Examples
### Configure Vault integration with a custom Vault auth id
```hcl ```hcl
module "vault" { module "vault" {
source = "https://registry.coder.com/modules/vault" source = "https://registry.coder.com/modules/vault"
agent_id = coder_agent.example.id agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com" vault_addr = "https://vault.example.com"
auth_provider_id = "my-auth-id" coder_github_auth_id = "my-github-auth-id"
vault_github_auth_path = "my-github-auth-path"
} }
``` ```

19
vault-github/main.tf
Unescape Escape View File

@ -20,10 +20,16 @@ variable "vault_addr" {
description = "The address of the Vault server." description = "The address of the Vault server."
} }
variable "auth_provider_id" { variable "coder_github_auth_id" {
type = string type = string
description = "The ID of the Vault auth method to use." description = "The ID of the GitHub external auth."
default = "vault" default = "github"
}
variable "vault_github_auth_path" {
type = string
description = "The path to the GitHub auth method."
default = "github"
} }
variable "vault_cli_version" { variable "vault_cli_version" {
@ -42,12 +48,13 @@ resource "coder_script" "vault" {
icon = "/icon/vault.svg" icon = "/icon/vault.svg"
script = templatefile("${path.module}/run.sh", { script = templatefile("${path.module}/run.sh", {
VAULT_ADDR : var.vault_addr, VAULT_ADDR : var.vault_addr,
PROVIDER_ID : var.auth_provider_id, AUTH_PATH : var.vault_github_auth_path,
GITHUB_EXTERNAL_AUTH_ID : data.coder_external_auth.github.id,
VERSION : var.vault_cli_version, VERSION : var.vault_cli_version,
}) })
run_on_start = true run_on_start = true
} }
data "coder_external_auth" "vault" { data "coder_external_auth" "github" {
id = var.auth_provider_id id = var.coder_github_auth_id
} }

22
vault-github/run.sh
Unescape Escape View File

@ -1,9 +1,10 @@
#!/usr/bin/env bash #!/usr/bin/env bash
BOLD='\033[0;1m' BOLD='\033[0;1m'
PROVIDER_ID=${PROVIDER_ID}
VAULT_ADDR=${VAULT_ADDR} VAULT_ADDR=${VAULT_ADDR}
VERSION=${VERSION} VERSION=${VERSION}
AUTH_PATH=${AUTH_PATH}
GITHUB_EXTERNAL_AUTH_ID=${GITHUB_EXTERNAL_AUTH_ID}
# Check if vault is installed # Check if vault is installed
if ! command -v vault &>/dev/null; then if ! command -v vault &>/dev/null; then
@ -36,19 +37,23 @@ printf "🥳 Installation complete!\n\n"
# Set up Vault token # Set up Vault token
printf "🔑 Authenticating with Vault ...\n\n" printf "🔑 Authenticating with Vault ...\n\n"
echo "PROVIDER_ID: $PROVIDER_ID" echo "AUTH_PATH: $AUTH_PATH"
VAULT_TOKEN=$(coder external-auth access-token $PROVIDER_ID) echo "GITHUB_EXTERNAL_AUTH_ID: $GITHUB_EXTERNAL_AUTH_ID"
GITHUB_TOKEN=$(coder external-auth access-token $GITHUB_EXTERNAL_AUTH_ID)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
printf "Authenticate with Vault:\n$VAULT_TOKEN\n" printf "Authentication with Vault failed. Please check your credentials.\n"
exit 1 exit 1
fi fi
export VAULT_ADDR=$VAULT_ADDR export VAULT_ADDR=$VAULT_ADDR
# Verify Vault address and token # Verify Vault address
printf "🔎 Verifying Vault address and token ...\n\n" printf "🔎 Verifying Vault address...\n\n"
vault status vault status
vault login $VAULT_TOKEN
# Login to Vault to using GitHub token
printf "🔑 Logging in to Vault ...\n\n"
vault login -method=github token=$GITHUB_TOKEN -path=/$AUTH_PATH
# Add VAULT_ADDR to shell login scripts if not already present e.g. .bashrc, .zshrc # Add VAULT_ADDR to shell login scripts if not already present e.g. .bashrc, .zshrc
# This is a temporary fix and will be replaced with https://github.com/coder/coder/issues/10166 # This is a temporary fix and will be replaced with https://github.com/coder/coder/issues/10166
@ -69,3 +74,6 @@ if [[ -f ~/.config/fish/config.fish ]] && ! grep -q "VAULT_ADDR" ~/.config/fish/
printf "\nAdding VAULT_ADDR to ~/.config/fish/config.fish ...\n" printf "\nAdding VAULT_ADDR to ~/.config/fish/config.fish ...\n"
echo "set -x VAULT_ADDR $VAULT_ADDR" >>~/.config/fish/config.fish echo "set -x VAULT_ADDR $VAULT_ADDR" >>~/.config/fish/config.fish
fi fi
printf "\n🥳 Vault authentication complete!\n\n"
printf "You can now use Vault CLI to access secrets.\n"

Write Preview
Loading…
Cancel
Save