From a458c2cfec5c60078a2671e4f8e5195301766ddb Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 10 Oct 2023 13:25:59 +0300 Subject: [PATCH] add docs --- vault/README.md | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/vault/README.md b/vault/README.md index 337c109..ac8aeca 100644 --- a/vault/README.md +++ b/vault/README.md @@ -20,14 +20,54 @@ module "vault" { } ``` +Then you can use the Vault CLI in your workspaces to fetch secrets from Vault: + +```shell +vault kv get secret/my-secret +``` + +or using the Vault API: + +```shell +curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET $VAULT_ADDR/v1/secret/data/my-secret +``` + ![Vault login](../.images/vault-login.png) +## Configuration + +To configure the Vault module, you must setup a Vault [OIDC Provider](https://developer.hashicorp.com/vault/docs/concepts/oidc-provider) and [configure](https://coder.com/docs/v2/latest/admin/external-auth) Coder to use it. + +### OIDC Provider in Vault + +1. Create a Vault OIDC Application with name `coder` and set the Redirect URI to `https://coder.example.com/external-auth/vault/callback`. + +2. MAke note of the Vault OIDC Provider's Client ID and Client Secret. +3. Add a provider to OIDC application with name `coder` and set the "Issuer URL" to `$VAULT_ADDR`. + +### Coder configuration + +Add the following to your Coder configuration: + +```env +CODER_EXTERNAL_AUTH_0_ID: "vault" +CODER_EXTERNAL_AUTH_0_TYPE: "vault" +CODER_EXTERNAL_AUTH_0_CLIENT_ID: "XXXXXXXXXX" +CODER_EXTERNAL_AUTH_0_CLIENT_SECRET: "XXXXXXXXX" +CODER_EXTERNAL_AUTH_0_DISPLAY_NAME: "Hashicorp Vault" +CODER_EXTERNAL_AUTH_0_DISPLAY_ICON: "/icon/vault.svg" +CODER_EXTERNAL_AUTH_0_VALIDATE_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/userinfo" +CODER_EXTERNAL_AUTH_0_AUTH_URL: "$VAULT_ADDR/ui/vault/identity/oidc/provider/coder/authorize" +CODER_EXTERNAL_AUTH_0_TOKEN_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/token" +CODER_EXTERNAL_AUTH_0_SCOPES: "openid" +``` + +> **Note:** Replace `$VAULT_ADDR` with your Vault address. + ## Examples ### Configure Vault integration with a custom Vault auth id -See [docs](https://coder.com/docs/v2/latest/admin/external-auth) for more information what are external auth ids. - ```hcl module "vault" { source = "https://registry.coder.com/modules/vault"