TemplatesModules
Back to Modules
Hashicorp Vault Integration (JWT) Icon

Hashicorp Vault Integration (JWT)

By:
Authenticates with Vault using a JWT from Coder's OIDC provider
README
Variables (5)
Scripts (1)
Source

This module lets you authenticate with Hashicorp Vault in your Coder workspaces by reusing the OIDC access token from Coder's OIDC authentication method. This requires configuring the Vault JWT/OIDC auth method.

1module "vault" {
2  source         = "registry.coder.com/modules/vault-jwt/coder"
3  version        = "1.0.19"
4  agent_id       = coder_agent.example.id
5  vault_addr     = "https://vault.example.com"
6  vault_jwt_role = "coder" # The Vault role to use for authentication
7}

Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:

1vault kv get -namespace=coder -mount=secrets coder

or using the Vault API:

1curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"

Examples

Configure Vault integration with a non standard auth path (default is "jwt")

1module "vault" {
2  source              = "registry.coder.com/modules/vault-jwt/coder"
3  version             = "1.0.19"
4  agent_id            = coder_agent.example.id
5  vault_addr          = "https://vault.example.com"
6  vault_jwt_auth_path = "oidc"
7  vault_jwt_role      = "coder" # The Vault role to use for authentication
8}

Map workspace owner's group to a Vault role

1data "coder_workspace_owner" "me" {}
2
3module "vault" {
4  source         = "registry.coder.com/modules/vault-jwt/coder"
5  version        = "1.0.19"
6  agent_id       = coder_agent.example.id
7  vault_addr     = "https://vault.example.com"
8  vault_jwt_role = data.coder_workspace_owner.me.groups[0]
9}

Install a specific version of the Vault CLI

1module "vault" {
2  source            = "registry.coder.com/modules/vault-jwt/coder"
3  version           = "1.0.19"
4  agent_id          = coder_agent.example.id
5  vault_addr        = "https://vault.example.com"
6  vault_jwt_role    = "coder" # The Vault role to use for authentication
7  vault_cli_version = "1.17.5"
8}