Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Setup the Vault server for JWT authentication method to trust the GitHub token issuer.
  2. Create the Vault policy for the secret.
  3. Create the JWT role to map the GitHub token to the Vault policy.
  4. Create the GitHub actions workflow to access the Vault secret.

...

Interaction

...

of

...

GitHub

...

and

...

Vault

...

in

...

accessing

...

Vault

...

secrets

PlantUML Macro
@startuml

rectangle vault_server as "Vault server" {
    rectangle jwt_auth as "JWT Auth (GitHub)" {
        collections jwt_roles as "JWT roles"
        file jwt_role as "JWT role"
        jwt_roles . jwt_role
    }

    collections vault_policies as "Vault policies"
    file vault_policy as "Vault policy"
    vault_policies . vault_policy

    collections vault_secrets as "Vault secrets"
    file vault_secret as "Vault secret"
    vault_secrets . vault_secret
    vault_policy --> vault_secret : allow read

}

rectangle github as "GitHub infra" {
    file workflow as "Actions workflow"
    node runner as "Actions runner"

    database token_issuer as "Token issuer"
    workflow --> runner
    workflow -> token_issuer

    circle token as "GitHub token"

    token_issuer .> token
    runner -> token
}

jwt_role <-- token : match on claims
jwt_role --> vault_policy : map to policy

@enduml

...