55a1b96773
|
2 years ago | |
|---|---|---|
| .. | ||
| README.md | 2 years ago | |
| main.tf | 2 years ago | |
| run.sh | 2 years ago | |
README.md
| display_name | description | icon | maintainer_github | verified | tags | |||
|---|---|---|---|---|---|---|---|---|
| vault | Authenticates with Vault | ../.icons/vault.svg | coder | true |
|
Hashicorp Vault
This module lets you authenticate with Hashicorp Vault in your Coder workspaces.
Note: This module does not cover setting up and configuring Vault. For that, see the Vault documentation.
module "vault" {
source = "https://registry.coder.com/modules/vault"
vault_addr = "https://vault.example.com"
}
Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:
vault kv get secret/my-secret
or using the Vault API:
curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET $VAULT_ADDR/v1/secret/data/my-secret
Configuration
To configure the Vault module, you must setup a Vault OIDC Provider and configure Coder to use it.
OIDC Provider in Vault
-
Create a Vault OIDC Application with name
coderand set the Redirect URI tohttps://coder.example.com/external-auth/vault/callback. -
MAke note of the Vault OIDC Provider's Client ID and Client Secret.
-
Add a provider to OIDC application with name
coderand set the "Issuer URL" to$VAULT_ADDR.
Coder configuration
Add the following to your Coder configuration:
CODER_EXTERNAL_AUTH_0_ID: "vault"
CODER_EXTERNAL_AUTH_0_TYPE: "vault"
CODER_EXTERNAL_AUTH_0_CLIENT_ID: "XXXXXXXXXX"
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET: "XXXXXXXXX"
CODER_EXTERNAL_AUTH_0_DISPLAY_NAME: "Hashicorp Vault"
CODER_EXTERNAL_AUTH_0_DISPLAY_ICON: "/icon/vault.svg"
CODER_EXTERNAL_AUTH_0_VALIDATE_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/userinfo"
CODER_EXTERNAL_AUTH_0_AUTH_URL: "$VAULT_ADDR/ui/vault/identity/oidc/provider/coder/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/token"
CODER_EXTERNAL_AUTH_0_SCOPES: "openid"
Note: Replace
$VAULT_ADDRwith your Vault address.
Examples
Configure Vault integration with a custom Vault auth id
module "vault" {
source = "https://registry.coder.com/modules/vault"
vault_addr = "https://vault.example.com"
vault_auth_id = "my-auth-id"
}
Configure Vault integration and install a specific version of the Vault CLI
module "vault" {
source = "https://registry.coder.com/modules/vault"
vault_addr = "https://vault.example.com"
vault_cli_version = "1.15.0"
}