Understand the principles behind configuring OIDC authentication from GitHub Action workflows to HashiCorp Vault for least-privilege access to secrets from CI/CD pipelines.
- Who is this for: Developers, security engineers, and operators of secrets management programs.
- What you'll learn: How to use GitHub OIDC for fine-grained role access to secrets in HashiCorp Vault.
- What you'll build: You will create three GitHub Action workflows retrieving secrets from Vault for the following use cases:
- Non-production secrets for integration testing within pull requests
- Production secrets for deployments of code from the main branch
- Segregating access to secrets between jobs in a workflow file with GitHub Environments
- Prerequisites:
- You should have basic proficiency working with HashiCorp Vault. You should understand how Vault roles correspond to HCL policies and how policies grant access to secrets. Completing HashiCorp's Vault Getting Started tutorial is sufficient.
- You should also understand the layout of a GitHub Actions workflow file. The GitHub tutorial Continuous Integration provides a good introduction.
- How long: This course is 4 steps long and takes about 1 hour to complete.
- Make sure you are signed in to GitHub. Right-click Start course and open the link in a new tab.
- In the new tab, most of the prompts will automatically fill in for you.
- For owner, choose your personal account or an organization to host the repository.
- We recommend creating a public repository — private repositories will use Actions minutes.
- After your new repository is created, wait about 20 seconds, then refresh that page. Follow the step-by-step instructions in the new repository's README.
Get help: Post in our discussion board • Something not working? File an issue ticket
© 2022 Ari Kalfus • Code of Conduct • CC-BY-4.0 License