Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(): add support for github provided jwt auth #257

Merged
merged 13 commits into from
Oct 8, 2021
Merged

feat(): add support for github provided jwt auth #257

merged 13 commits into from
Oct 8, 2021

Conversation

blz-ea
Copy link
Contributor

@blz-ea blz-ea commented Sep 22, 2021
edited
Loading

This PR add support for Github provided JWT

Example Usage

#...
jobs:
  # ...
  build:
    permissions:
      id-token: write
      contents: read
    steps:
      # ...
      - name: Import Secrets
        id: secrets
        uses: hashicorp/vault-action
        with:
          url: https://vault.mycompany.com:8200
          method: jwt
          role: github-action
          secrets: |
              secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
              secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY

Example Github provided JWT

{
  "jti": "871e293a-7d48-466f-8f5f-e1713ae152cb",
  "sub": "repo:blz-ea/example-repo:ref:refs/heads/blz-ea-patch-1",
  "aud": "sigstore",
  "ref": "refs/heads/blz-ea-patch-1",
  "sha": "75829399ab789a6f927f6a7be1df283d4ee51e66",
  "repository": "blz-ea/example-repo",
  "repository_owner": "blz-ea",
  "run_id": "1262466604",
  "run_number": "19",
  "run_attempt": "2",
  "actor": "blz-ea",
  "workflow": "My Workflow Name",
  "head_ref": "",
  "base_ref": "",
  "event_name": "push",
  "ref_type": "branch",
  "job_workflow_ref": "blz-ea/example-repo/.github/workflows/test.yml@refs/heads/blz-ea-patch-1",
  "iss": "https://vstoken.actions.githubusercontent.com",
  "nbf": 1632324904,
  "exp": 1632325804,
  "iat": 1632325504
}

Example JWT Auth Config

{
  "jwt_validation_pubkeys" : [
    "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzW2j18tSka65aoPgmyk7\naUkYE7MmO8z9tM/HoKVJ+w/alYIknkf7pgBeWWfqRgkRfmDuJa8hATL20+bD9cQZ\n8uVAG1reQfIMxqxwt3DA6q37Co41NdgZ0MUTTQpfC0JyDbDwM/ZIzis1cQ1teJcr\nPBTQJ3TjvyBHeqDmEs2ZCmGLuHZloep8Y/4hmMBfMOFkz/7mWH7NPuhOLWnPTIKx\nnMuHl4EVdNL6CvIYEnzF24m/pf3IEM84vszL2s6+X7AbFheZVig8WqhEwiVjbUVx\nXcY4PtbK0z3jhgxcpjc6WTH0JlRedpq2ABowWZg+pxOoWZUAETfj6qBlbIn/F9kp\nyQIDAQAB\n-----END PUBLIC KEY-----"
  ],
  "bound_issuer": "https://vstoken.actions.githubusercontent.com"
}

Example JWT Role

{
  "role_type": "jwt",
  "bound_audiences": [ "sigstore" ],
  "policies": [
    "github-action"
  ],
  "token_explicit_max_ttl": 60,
  "bound_claims": {
    "repository": "*"
   },
  "subject_claim": "repository",
  "groups_claim": "sha",
  "user_claim": "actor",
  "bound_claims_type": "glob"
}

Notice: Based on unreleased Github feature

@imthaghost imthaghost self-requested a review September 24, 2021 23:20
@blz-ea
fix: add contents: read permission
2bffb94
@blz-ea
fix: get token via @actions/core
e093c29 
- Update README
- Switch to use `getIDToken` method for Github token retrieval
- Bump `@actions/core` to 1.6.0
- Add `jwtGithubAudience` input
- Remove unnecessary code
@blz-ea
Merge pull request #1 from blz-ea/feature/core-github-oidc
eaa7d68 
fix: get token via `@actions/core`
imthaghost
imthaghost reviewed Oct 5, 2021
View reviewed changes
action.yml Outdated Show resolved Hide resolved
blz-ea
blz-ea commented Oct 5, 2021
View reviewed changes
action.yml Outdated Show resolved Hide resolved
@blz-ea blz-ea requested a review from imthaghost October 5, 2021 22:02
tvoran
tvoran reviewed Oct 6, 2021
View reviewed changes
Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is looking great! Left a couple of thoughts.

It would also be great if you could remove the changes to dist/index.js since we typically don't update that file until we do a release.

And it would be even better if this could be tested in the integrationTests, similar to the regular jwt auth.

dist/index.js Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
action.yml Outdated Show resolved Hide resolved
@blz-ea blz-ea requested a review from tvoran October 7, 2021 03:22
tvoran
tvoran approved these changes Oct 8, 2021
View reviewed changes
Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works great! Thanks so much!

@imthaghost imthaghost added ecosystem enhancement New feature or request labels Oct 8, 2021
@imthaghost imthaghost merged commit c502100 into hashicorp:master Oct 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imthaghost imthaghost imthaghost approved these changes

@tvoran tvoran tvoran approved these changes

@tomhjp tomhjp Awaiting requested review from tomhjp

@austingebauer austingebauer Awaiting requested review from austingebauer

Assignees
No one assigned
Labels
ecosystem enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@blz-ea @tvoran @imthaghost