publicWagsHome
/
modules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
optionality
coder-monitoring
atif/multi-gateway
cj/github-inaction
atif/jetbrains-multi-ides
atif/support-kasm-images
atif/qol-improvments
module-glitch-repro
mes/rdp-glitch-repro
web-rdp-cloud-fixes
slackme/exitcode
v1.0.29-1
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.20
v1.0.21
v1.0.22
v1.0.23
v1.0.24
v1.0.25
v1.0.26
v1.0.27
v1.0.28
v1.0.29
v1.0.8
v1.0.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fe392a5851'
${ noResults }
modules/vault/README.md

2.7 KiB
Raw Blame History

display_name description icon maintainer_github verified tags
vault Authenticates with Vault ../.icons/vault.svg coder true
helper
integration
vault

Hashicorp Vault

This module lets you authenticate with Hashicorp Vault in your Coder workspaces.

Note: This module does not cover setting up and configuring Vault auth methods. For that, see the Vault documentation.

module "vault" {
    source = "https://registry.coder.com/modules/vault"
    vault_addr = "https://vault.example.com"
}

Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:

vault kv get -mount=secret my-secret

or using the Vault API:

curl -H "X-Vault-Token: $VAULT_TOKEN" -X GET $VAULT_ADDR/v1/secret/data/my-secret

Vault login

Configuration

To configure the Vault module, you must setup a Vault OIDC Provider and configure Coder to use it.

OIDC Provider in Vault

  1. Create a Vault OIDC Application with name coder and set the Redirect URI to https://coder.example.com/external-auth/vault/callback.
  2. Make note of the Client ID and Client Secret.
  3. Add a provider to OIDC application with name coder and set the "Issuer URL" to $VAULT_ADDR.

Coder configuration

Add the following to your Coder configuration:

CODER_EXTERNAL_AUTH_0_ID: "vault"
CODER_EXTERNAL_AUTH_0_TYPE: "vault"
CODER_EXTERNAL_AUTH_0_CLIENT_ID: "XXXXXXXXXX"
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET: "XXXXXXXXX"
CODER_EXTERNAL_AUTH_0_DISPLAY_NAME: "Hashicorp Vault"
CODER_EXTERNAL_AUTH_0_DISPLAY_ICON: "/icon/vault.svg"
CODER_EXTERNAL_AUTH_0_VALIDATE_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/userinfo"
CODER_EXTERNAL_AUTH_0_AUTH_URL: "$VAULT_ADDR/ui/vault/identity/oidc/provider/coder/authorize"
CODER_EXTERNAL_AUTH_0_TOKEN_URL: "$VAULT_ADDR/v1/identity/oidc/provider/coder/token"
CODER_EXTERNAL_AUTH_0_SCOPES: "openid"

Note: Replace $VAULT_ADDR with your Vault address. e.g. https://vault.example.com.

Examples

Configure Vault integration with a custom Vault auth id

module "vault" {
    source = "https://registry.coder.com/modules/vault"
    vault_addr = "https://vault.example.com"
    vault_auth_id = "my-auth-id"
}

Configure Vault integration and install a specific version of the Vault CLI

module "vault" {
    source = "https://registry.coder.com/modules/vault"
    vault_addr = "https://vault.example.com"
    vault_cli_version = "1.15.0"
}