Skip to content

Commit

Permalink
feat: added github oidc token as a header (#471)
Browse files Browse the repository at this point in the history 
* added github oidc token as a header

* added instance to audience
  • Loading branch information
@eloymg
eloymg authored Oct 16, 2024
1 parent 138c096 commit 6426ecd
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions actions/get-vault-secrets/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,14 @@ runs:
COMMON_SECRETS: ${{ inputs.common_secrets }}
REPO: ${{ github.repository }}

- id: get-github-jwt-token
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const jwt = await core.getIDToken("vault-github-actions-grafana-${{ inputs.vault_instance }}");
core.setSecret(jwt);
core.setOutput("github-jwt",jwt);
# Get the secrets
- name: Import Secrets
id: import-secrets
Expand All @@ -74,5 +82,6 @@ runs:
jwtGithubAudience: "https://vault-github-actions.grafana-${{ inputs.vault_instance }}.net"
extraHeaders: |
Proxy-Authorization: Bearer ${{ steps.vault-iap-auth.outputs.id_token }}
Proxy-Authorization-Token: Bearer ${{ steps.get-github-jwt-token.outputs.github-jwt }}
secrets: |
${{ steps.translate-secrets.outputs.secrets }}

1 comment on commit 6426ecd

@eloymg
Copy link
Contributor Author

@eloymg eloymg commented on 6426ecd Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added github oidc token as a header. This allow us to remove IAP proxy from the auth process beacouse we validate the github OIDC token directly.

Please sign in to comment.