From 6cafded1fc821341ef936d1d15964f8cb52ef0e7 Mon Sep 17 00:00:00 2001 From: Ari Kalfus Date: Thu, 16 Feb 2023 10:59:05 -0500 Subject: [PATCH] docs: update text and vault version references --- .github/script/1-setup.sh | 7 ++++++- .github/script/2-setup.sh | 2 +- .github/script/3-setup.sh | 2 +- .github/script/4-setup.sh | 2 +- .github/workflows/1-oidc-hello-world.yml | 2 +- .github/workflows/2-pull-request.yml | 2 +- .github/workflows/3-main-branch.yml | 2 +- .github/workflows/4-environment.yml | 4 ++-- .pre-commit-config.yaml | 2 +- README.md | 17 ++++++++++------- 10 files changed, 25 insertions(+), 17 deletions(-) diff --git a/.github/script/1-setup.sh b/.github/script/1-setup.sh index c453ebb..bdb51d6 100755 --- a/.github/script/1-setup.sh +++ b/.github/script/1-setup.sh @@ -5,7 +5,7 @@ set -eu # Install Vault binary wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install vault=1.12.2-1 +sudo apt update && sudo apt install vault=1.12.3-1 # Initialize Vault for this scenario vault login vaultiscool @@ -22,6 +22,11 @@ path "secret/data/foobar" { capabilities = ["read"] } EOF +# This grants ANYONE on github.com the ability to authenticate to your Vault server! +# DO NOT USE THIS IN REAL LIFE +# Every other workflow configuration in this tutorial is real-world viable, but this +# is configured solely to allow attendees of this course to authenticate from their +# clone of this repo - enable a quick win in the first exercise of the course. vault write auth/gha/role/hello-world - << EOF { "role_type": "jwt", diff --git a/.github/script/2-setup.sh b/.github/script/2-setup.sh index cb0b049..d3c005d 100755 --- a/.github/script/2-setup.sh +++ b/.github/script/2-setup.sh @@ -5,7 +5,7 @@ set -eu # Install Vault binary wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install vault=1.12.2-1 +sudo apt update && sudo apt install vault=1.12.3-1 # Initialize Vault for this scenario vault login vaultiscool diff --git a/.github/script/3-setup.sh b/.github/script/3-setup.sh index 3ed1488..60c0196 100755 --- a/.github/script/3-setup.sh +++ b/.github/script/3-setup.sh @@ -5,7 +5,7 @@ set -eu # Install Vault binary wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install vault=1.12.2-1 +sudo apt update && sudo apt install vault=1.12.3-1 # Initialize Vault for this scenario vault login vaultiscool diff --git a/.github/script/4-setup.sh b/.github/script/4-setup.sh index 28b6ee3..c8e67ce 100755 --- a/.github/script/4-setup.sh +++ b/.github/script/4-setup.sh @@ -5,7 +5,7 @@ set -eu # Install Vault binary wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install vault=1.12.2-1 +sudo apt update && sudo apt install vault=1.12.3-1 # Initialize Vault for this scenario vault login vaultiscool diff --git a/.github/workflows/1-oidc-hello-world.yml b/.github/workflows/1-oidc-hello-world.yml index 2c27845..ff2277f 100644 --- a/.github/workflows/1-oidc-hello-world.yml +++ b/.github/workflows/1-oidc-hello-world.yml @@ -26,7 +26,7 @@ jobs: # Reference: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices services: vault: - image: vault:1.12.2 + image: vault:1.12.3 # Make vault accessible to the runner at localhost:8200 ports: - 8200:8200 diff --git a/.github/workflows/2-pull-request.yml b/.github/workflows/2-pull-request.yml index 91e1648..6cacf7b 100644 --- a/.github/workflows/2-pull-request.yml +++ b/.github/workflows/2-pull-request.yml @@ -30,7 +30,7 @@ jobs: # Reference: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices services: vault: - image: vault:1.12.2 + image: vault:1.12.3 # Make vault accessible to the runner at localhost:8200 ports: - 8200:8200 diff --git a/.github/workflows/3-main-branch.yml b/.github/workflows/3-main-branch.yml index b167508..91ec2cb 100644 --- a/.github/workflows/3-main-branch.yml +++ b/.github/workflows/3-main-branch.yml @@ -30,7 +30,7 @@ jobs: # Reference: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices services: vault: - image: vault:1.12.2 + image: vault:1.12.3 # Make vault accessible to the runner at localhost:8200 ports: - 8200:8200 diff --git a/.github/workflows/4-environment.yml b/.github/workflows/4-environment.yml index 97e0d73..5ba01ab 100644 --- a/.github/workflows/4-environment.yml +++ b/.github/workflows/4-environment.yml @@ -29,7 +29,7 @@ jobs: # Reference: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices services: vault: - image: vault:1.12.2 + image: vault:1.12.3 # Make vault accessible to the runner at localhost:8200 ports: - 8200:8200 @@ -104,7 +104,7 @@ jobs: runs-on: ubuntu-latest services: vault: - image: vault:1.12.2 + image: vault:1.12.3 ports: - 8200:8200 env: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 112ca51..a025f4d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,6 +10,6 @@ repos: - id: mixed-line-ending - repo: https://github.com/rhysd/actionlint - rev: v1.6.22 + rev: v1.6.23 hooks: - id: actionlint-docker diff --git a/README.md b/README.md index 27be1ac..14205e7 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Understand the principles behind configuring OIDC authentication from GitHub Action workflows to HashiCorp Vault for least-privilege access to secrets from CI/CD pipelines. -- **Who is this for**: Developers, Security engineers, and operators of secrets management programs inside organizations. +- **Who is this for**: Developers, security engineers, and operators of secrets management programs. - **What you'll learn**: How to use GitHub OIDC for fine-grained role access to secrets in HashiCorp Vault. - **What you'll build**: You will create three GitHub Action workflows retrieving secrets from Vault for the following use cases: 1. Non-production secrets for integration testing within pull requests @@ -20,7 +20,7 @@ Understand the principles behind configuring OIDC authentication from GitHub Act - **Prerequisites**: 1. You should have basic proficiency working with HashiCorp Vault. You should understand how Vault roles correspond to HCL policies and how policies grant access to secrets. - Completing HashiCorp's Vault [Getting Started](https://developer.hashicorp.com/vault/tutorials/getting-started) tutorial is sufficient. + Completing HashiCorp's [Vault Getting Started](https://developer.hashicorp.com/vault/tutorials/getting-started) tutorial is sufficient. 1. You should also understand the layout of a GitHub Actions workflow file. The GitHub tutorial [Continuous Integration](https://github.com/skills/continuous-integration) provides a good introduction. - **How long**: This course is 4 steps long and takes about 1 hour to complete. @@ -156,12 +156,12 @@ Also see ["Permissions for the `GITHUB_TOKEN`"](https://docs.github.com/en/actio run: ./.github/script/1-setup.sh ``` -For the purposes of this course, we set up a dev Vault instance for you to authenticate against using OIDC. +For the purposes of this course, we set up a local Vault instance for you to authenticate against using OIDC. We'll take a look at this setup script in a moment. ```yml - name: Retrieve Secrets - uses: hashicorp/vault-action@v2.4.3 + uses: hashicorp/vault-action@v2.5.0 id: secrets with: url: http://127.0.0.1:8200 @@ -250,7 +250,7 @@ EOF Finally, we created a role that binds to the `iss` claim in GitHub's OIDC token. This claim means that anyone anywhere on github.com can authenticate to this Vault instance and be granted the `hello-policy` policy. -You don't want to use this in real life! :wink: :scream: +**You don't want to use this in real life!** :wink: :scream: We'll explore real-world examples of fine-grained access in the next steps of this course. Let's look at the other values: @@ -337,8 +337,11 @@ Open a pull request from your branch to the `main` branch. git commit -m "Add OIDC role for pull requests" gh pr create --title "Fine-grained permissions - pull requests" --body "This pull request adds a new workflow that uses Vault to retrieve a secret only if the workflow runs inside a pull request." ``` - The `gh` command comes from the [GitHub CLI](https://cli.github.com/). - You can create the pull request from the UI as well. + + > **Note** + > + > The `gh` command comes from the [GitHub CLI](https://cli.github.com/). + > You can create the pull request from the UI as well. 1. Go to the **Pull Requests** tab and open your new pull request. After a few seconds, you should observe the `Step 2, Fine-grained permissions - pull requests` workflow begin to run on your PR.