WIP: combine scripts

andreaso · Nov 18, 2023 · 4c2914c · 4c2914c
1 parent 815448d
commit 4c2914c
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 51 deletions.
diff --git a/action.yaml b/action.yaml
@@ -52,20 +52,13 @@ runs:
         JWT_AUDIENCE: ${{ inputs.jwt_audience }}
         VAULT_SERVER: ${{ inputs.vault_server }}
 
-    - name: Request JWT from GitHub
-      id: github_auth
+    - name: Use GitHub OIDC to authenticate towards Vault
+      id: vault_auth
       shell: bash
-      run: "${ACTION_PATH}/github-auth"
+      run: "${ACTION_PATH}/github-vault-auth"
       env:
         ACTION_PATH: ${{ github.action_path }}
         AUDIENCE: ${{ steps.determine.outputs.audience }}
-
-    - name: Self auth towards Vault
-      id: vault_self_auth
-      shell: bash
-      run: "${ACTION_PATH}/vault-auth"
-      env:
-        ACTION_PATH: ${{ github.action_path }}
         BACKEND: ${{ inputs.oidc_backend }}
         JWT_TOKEN: ${{ steps.github_auth.outputs.jwt_token }}
         ROLE: ${{ inputs.oidc_role }}
@@ -78,7 +71,7 @@ runs:
       env:
         ACTION_PATH: ${{ github.action_path }}
         VAULT_SERVER: ${{ inputs.vault_server }}
-        VAULT_TOKEN: ${{ steps.vault_self_auth.outputs.vault_token }}
+        VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
         SSH_BACKEND: ${{ inputs.ssh_backend }}
         SSH_ROLE: ${{ inputs.ssh_role }}
         TMPDIR: ${{ runner.temp }}
@@ -90,4 +83,4 @@ runs:
         curl --fail --silent --show-error --header "X-Vault-Token: ${VAULT_TOKEN}" --data "" "${VAULT_SERVER}/v1/auth/token/revoke-self"
       env:
         VAULT_SERVER: ${{ inputs.vault_server }}
-        VAULT_TOKEN: ${{ steps.vault_self_auth.outputs.vault_token }}
+        VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
diff --git a/github-auth b/github-auth
diff --git a/github-vault-auth b/github-vault-auth
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -o errexit
+set -o nounset
+set -o noglob
+set -o pipefail
+
+github_response=$(mktemp)
+vault_response=$(mktemp)
+trap 'rm "$github_response" "$vault_response"' EXIT
+
+curl \
+    --fail \
+    --silent \
+    --show-error \
+    --output "$github_response" \
+    --header "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+    "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${AUDIENCE}"
+
+github_jwt=$(jq --exit-status --raw-output .value "$github_response")
+
+curl \
+    --fail \
+    --silent \
+    --show-error \
+    --output "$vault_response" \
+    --data '{"jwt": "'"$github_jwt"'", "role": "'"$ROLE"'"}' \
+    "${VAULT_SERVER}/v1/auth/${BACKEND}/login"
+
+vault_token=$(jq --exit-status --raw-output .auth.client_token "$vault_response")
+echo "::add-mask::$vault_token"
+echo "vault_token=$vault_token" >> "$GITHUB_OUTPUT"
diff --git a/vault-auth b/vault-auth