This guide demonstrates how to use your Gitpod workspace to retrieve secrets from Hashicorp Vault using OpenID Connect (OIDC) method. This approach leverages your current OIDC provider for authentication, eliminating the need to store multiple secrets as environment variables in the Gitpod dashboard.
- A Vault cluster.
- Desktop IDE connected to your Gitpod workspace via SSH.
Ensure the following environment variables are set in your Gitpod User Settings:
VAULT_ADDR
VAULT_NAMESPACE
VAULT_TOKEN
See how to Access a Vault Cluster on HCP
Your workspace image should be configured to use Vault CLI. In your .gitpod.Dockerfile
, include the following:
FROM gitpod/workspace-full
RUN brew tap hashicorp/tap
RUN brew install hashicorp/tap/vault
This is then called in your gitpod.yml
with
image:
file: .gitpod.Dockerfile
For officially signed HashiCorp packages for Linux; See Getting Started
In your workspace terminal, run the following command to verify connectivity to the Vault cluster:
vault status
Follow Hashicorp's documentation to configure OIDC with Vault. This includes registering Vault with your OIDC provider of choice and setting necessary policies. This can all be done within your Gitpod workspace. OIDC Providers include:
- OIDC Auth method with Auth0
- OIDC Auth method with AzureAD
- OIDC Auth method with Okta
- Vault as an OIDC Identity Provider
Once OIDC is configured, log in to Vault using the command:
vault login -method=oidc
This will link to open a pop-up window to complete authentication
After logging in, you can interact with Vault using the following commands:
vault kv list <secret>
vault kv get <path/to/secrets>
- When registering Vault with your OIDC provider, the redirect URI
localhost:8250
will only work if you are running your IDE locally rather than in a browser.