search

martinbaillie / vault-plugin-secrets-github

Create ephemeral, finely-scoped @github access tokens using @hashicorp Vault.
https://martin.baillie.id/wrote/ephemeral-github-tokens-via-hashicorp-vault/
Apache License 2.0
269 stars 24 forks source link

Usage in a template: what secret type should be used? #116

Closed brucellino closed 5 months ago

brucellino commented 9 months ago

Hello!

Fine piece of work here, so let me start off by saying thanks. I have added this to my Vault at github_personal_tokens and have verified that I can issue tokens via the command line. So far so good.

Now, I would like to issue tokens to my Nomad jobs for Github Actions runners. They need a personal access token in order to generate a runner registration token, which seemed like a perfect example of what to use this plugin for.

I naively wanted to use a template block to generate the token and inject it into the job's environment:

template {
        data = <<EOT
          {{ with secret "github_personal_tokens/token" "installation_id=<my id>" "${NOMAD_META_REPO_SHORT_NAME}" }}
          GH_TOKEN={{- .Data.token -}}
          {{ end }}
        EOT
        destination = "secrets/.env"
        env = true
      }

That, however, ended in tears because the secret engine is not a kv type.

So, my question is : what secret engine kind should I use instead of secret?

kberzinch commented 9 months ago

What is the specific outcome you get with that template? I have not tried this specific use case, but I use this plugin (1.x version though) with Concourse which treats it as a KV store, and that works fine.

If you take off the data portion (the installation id and the repo name) does it generate a token at all?