From 3224a223d483e2d7059903501ff54d313e17ac83 Mon Sep 17 00:00:00 2001 From: JM Faircloth Date: Wed, 31 Jul 2024 14:01:14 -0500 Subject: [PATCH 1/2] docs: add namespace example to readme --- README.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5570c2a8..55f02795 100644 --- a/README.md +++ b/README.md @@ -486,7 +486,6 @@ steps: uses: hashicorp/vault-action with: url: https://vault-enterprise.mycompany.com:8200 - caCertificate: ${{ secrets.VAULT_CA_CERT }} method: token token: ${{ secrets.VAULT_TOKEN }} namespace: admin @@ -496,6 +495,25 @@ steps: secret/data/ci npm_token ``` +Alternatively, you may need to authenticate to the root namespace and retrieve +a secret from a different namespace. To do this, do not set the `namespace` +parameter. Instead set the namespace in the secret path. For example, `/secret/data/app`: + +```yaml +steps: + # ... + - name: Import Secrets + uses: hashicorp/vault-action + with: + url: https://vault-enterprise.mycompany.com:8200 + method: token + token: ${{ secrets.VAULT_TOKEN }} + secrets: | + namespace-1/secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; + namespace-1/secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ; + namespace-1/secret/data/ci npm_token +``` + ## Reference Here are all the inputs available through `with`: From c0198972339e81c806d92b4b8647ac8fee9499d4 Mon Sep 17 00:00:00 2001 From: JM Faircloth Date: Wed, 31 Jul 2024 14:07:23 -0500 Subject: [PATCH 2/2] fix integration test jwt audience --- integrationTests/basic/jwt_auth.test.js | 54 +++++++++++++++++-------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/integrationTests/basic/jwt_auth.test.js b/integrationTests/basic/jwt_auth.test.js index df2703b5..e2744a1c 100644 --- a/integrationTests/basic/jwt_auth.test.js +++ b/integrationTests/basic/jwt_auth.test.js @@ -97,6 +97,8 @@ describe('jwt auth', () => { } }); + // write the jwt config, the jwt role will be written on a per-test + // basis since the audience may vary await got(`${vaultUrl}/v1/auth/jwt/config`, { method: 'POST', headers: { @@ -108,22 +110,6 @@ describe('jwt auth', () => { } }); - await got(`${vaultUrl}/v1/auth/jwt/role/default`, { - method: 'POST', - headers: { - 'X-Vault-Token': vaultToken, - }, - json: { - role_type: 'jwt', - bound_audiences: null, - bound_claims: { - iss: 'vault-action' - }, - user_claim: 'iss', - policies: ['reader'] - } - }); - await got(`${vaultUrl}/v1/secret/data/test`, { method: 'POST', headers: { @@ -138,6 +124,24 @@ describe('jwt auth', () => { }); describe('authenticate with private key', () => { + beforeAll(async () => { + await got(`${vaultUrl}/v1/auth/jwt/role/default`, { + method: 'POST', + headers: { + 'X-Vault-Token': vaultToken, + }, + json: { + role_type: 'jwt', + bound_audiences: null, + bound_claims: { + iss: 'vault-action' + }, + user_claim: 'iss', + policies: ['reader'] + } + }); + }); + beforeEach(() => { jest.resetAllMocks(); @@ -170,6 +174,22 @@ describe('jwt auth', () => { describe('authenticate with Github OIDC', () => { beforeAll(async () => { + await got(`${vaultUrl}/v1/auth/jwt/role/default`, { + method: 'POST', + headers: { + 'X-Vault-Token': vaultToken, + }, + json: { + role_type: 'jwt', + bound_audiences: 'https://github.com/hashicorp/vault-action', + bound_claims: { + iss: 'vault-action' + }, + user_claim: 'iss', + policies: ['reader'] + } + }); + await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, { method: 'POST', headers: { @@ -177,7 +197,7 @@ describe('jwt auth', () => { }, json: { role_type: 'jwt', - bound_audiences: null, + bound_audiences: 'sigstore', bound_claims: { iss: 'vault-action', aud: 'sigstore',