publicWagsHome
/
modules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
optionality
coder-monitoring
atif/multi-gateway
cj/github-inaction
atif/jetbrains-multi-ides
atif/support-kasm-images
atif/qol-improvments
module-glitch-repro
mes/rdp-glitch-repro
web-rdp-cloud-fixes
slackme/exitcode
v1.0.29-1
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.20
v1.0.21
v1.0.22
v1.0.23
v1.0.24
v1.0.25
v1.0.26
v1.0.27
v1.0.28
v1.0.29
v1.0.8
v1.0.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '453e38a5c0'
${ noResults }
modules/vault-jwt
History
Muhammad Atif Ali 7654140330
docs: promote count usage to prevent module download on stop (#371) 		4 months ago
..
README.md docs: promote count usage to prevent module download on stop (#371) 4 months ago
main.test.ts feat(vault-jwt): Add Vault JWT/OIDC module (#297) 7 months ago
main.tf feat(vault-jwt): Add Vault JWT/OIDC module (#297) 7 months ago
run.sh fix(vault-jwt): fix vault CLI installation (#311) 7 months ago

README.md

display_name description icon maintainer_github partner_github verified tags
Hashicorp Vault Integration (JWT) Authenticates with Vault using a JWT from Coder's OIDC provider ../.icons/vault.svg coder hashicorp true
helper
integration
vault
jwt
oidc

Hashicorp Vault Integration (JWT)

This module lets you authenticate with Hashicorp Vault in your Coder workspaces by reusing the OIDC access token from Coder's OIDC authentication method. This requires configuring the Vault JWT/OIDC auth method.

module "vault" {
  count          = data.coder_workspace.me.start_count
  source         = "registry.coder.com/modules/vault-jwt/coder"
  version        = "1.0.20"
  agent_id       = coder_agent.example.id
  vault_addr     = "https://vault.example.com"
  vault_jwt_role = "coder" # The Vault role to use for authentication
}

Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:

vault kv get -namespace=coder -mount=secrets coder

or using the Vault API:

curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"

Examples

Configure Vault integration with a non standard auth path (default is "jwt")

module "vault" {
  count               = data.coder_workspace.me.start_count
  source              = "registry.coder.com/modules/vault-jwt/coder"
  version             = "1.0.20"
  agent_id            = coder_agent.example.id
  vault_addr          = "https://vault.example.com"
  vault_jwt_auth_path = "oidc"
  vault_jwt_role      = "coder" # The Vault role to use for authentication
}

Map workspace owner's group to a Vault role

data "coder_workspace_owner" "me" {}

module "vault" {
  count          = data.coder_workspace.me.start_count
  source         = "registry.coder.com/modules/vault-jwt/coder"
  version        = "1.0.20"
  agent_id       = coder_agent.example.id
  vault_addr     = "https://vault.example.com"
  vault_jwt_role = data.coder_workspace_owner.me.groups[0]
}

Install a specific version of the Vault CLI

module "vault" {
  count             = data.coder_workspace.me.start_count
  source            = "registry.coder.com/modules/vault-jwt/coder"
  version           = "1.0.20"
  agent_id          = coder_agent.example.id
  vault_addr        = "https://vault.example.com"
  vault_jwt_role    = "coder" # The Vault role to use for authentication
  vault_cli_version = "1.17.5"
}