This module lets you authenticate with Hashicorp Vault in your Coder workspaces by reusing the OIDC access token from Coder's OIDC authentication method. This requires configuring the Vault JWT/OIDC auth method.
1module "vault" { 2 source = "registry.coder.com/modules/vault-jwt/coder" 3 version = "1.0.19" 4 agent_id = coder_agent.example.id 5 vault_addr = "https://vault.example.com" 6 vault_jwt_role = "coder" # The Vault role to use for authentication 7}
Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:
1vault kv get -namespace=coder -mount=secrets coder
or using the Vault API:
1curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"
1module "vault" { 2 source = "registry.coder.com/modules/vault-jwt/coder" 3 version = "1.0.19" 4 agent_id = coder_agent.example.id 5 vault_addr = "https://vault.example.com" 6 vault_jwt_auth_path = "oidc" 7 vault_jwt_role = "coder" # The Vault role to use for authentication 8}
1data "coder_workspace_owner" "me" {} 2 3module "vault" { 4 source = "registry.coder.com/modules/vault-jwt/coder" 5 version = "1.0.19" 6 agent_id = coder_agent.example.id 7 vault_addr = "https://vault.example.com" 8 vault_jwt_role = data.coder_workspace_owner.me.groups[0] 9}
1module "vault" { 2 source = "registry.coder.com/modules/vault-jwt/coder" 3 version = "1.0.19" 4 agent_id = coder_agent.example.id 5 vault_addr = "https://vault.example.com" 6 vault_jwt_role = "coder" # The Vault role to use for authentication 7 vault_cli_version = "1.17.5" 8}