...
- Setup the Vault server for JWT authentication method to trust the GitHub token issuer.
- Create the Vault policy for the secret.
- Create the JWT role to map the GitHub token to the Vault policy.
- Create the GitHub actions workflow to access the Vault secret.
...
Interaction
...
of
...
GitHub
...
and
...
Vault
...
in
...
accessing
...
Vault
...
secrets
| PlantUML Macro |
|---|
@startuml
rectangle vault_server as "Vault server" {
rectangle jwt_auth as "JWT Auth (GitHub)" {
collections jwt_roles as "JWT roles"
file jwt_role as "JWT role"
jwt_roles . jwt_role
}
collections vault_policies as "Vault policies"
file vault_policy as "Vault policy"
vault_policies . vault_policy
collections vault_secrets as "Vault secrets"
file vault_secret as "Vault secret"
vault_secrets . vault_secret
vault_policy --> vault_secret : allow read
}
rectangle github as "GitHub infra" {
file workflow as "Actions workflow"
node runner as "Actions runner"
database token_issuer as "Token issuer"
workflow --> runner
workflow -> token_issuer
circle token as "GitHub token"
token_issuer .> token
runner -> token
}
jwt_role <-- token : match on claims
jwt_role --> vault_policy : map to policy
@enduml |
...