Back to Modules
Hashicorp Vault Integration (JWT)
Hashicorp Vault Integration (JWT)23 InstallsTests Passed: a month ago
23 Installs
Tests Passed: a month ago
Authenticates with Vault using a JWT from Coder's OIDC provider
README
Variables (5)
Scripts (1)
Source
This module lets you authenticate with Hashicorp Vault in your Coder workspaces by reusing the OIDC access token from Coder's OIDC authentication method. This requires configuring the Vault JWT/OIDC auth method.
1module "vault" { 2 source = "registry.coder.com/modules/vault-jwt/coder" 3 version = "1.0.20" 4 agent_id = coder_agent.example.id 5 vault_addr = "https://vault.example.com" 6 vault_jwt_role = "coder" # The Vault role to use for authentication 7}
Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:
1vault kv get -namespace=coder -mount=secrets coder
or using the Vault API:
1curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"
Examples
Configure Vault integration with a non standard auth path (default is "jwt")
1module "vault" { 2 source = "registry.coder.com/modules/vault-jwt/coder" 3 version = "1.0.20" 4 agent_id = coder_agent.example.id 5 vault_addr = "https://vault.example.com" 6 vault_jwt_auth_path = "oidc" 7 vault_jwt_role = "coder" # The Vault role to use for authentication 8}
Map workspace owner's group to a Vault role
1data "coder_workspace_owner" "me" {} 2 3module "vault" { 4 source = "registry.coder.com/modules/vault-jwt/coder" 5 version = "1.0.20" 6 agent_id = coder_agent.example.id 7 vault_addr = "https://vault.example.com" 8 vault_jwt_role = data.coder_workspace_owner.me.groups[0] 9}
Install a specific version of the Vault CLI
1module "vault" { 2 source = "registry.coder.com/modules/vault-jwt/coder" 3 version = "1.0.20" 4 agent_id = coder_agent.example.id 5 vault_addr = "https://vault.example.com" 6 vault_jwt_role = "coder" # The Vault role to use for authentication 7 vault_cli_version = "1.17.5" 8}