From 4c2914c7f884b28b83fcea848969dacf2caaff90 Mon Sep 17 00:00:00 2001 From: Andreas Olsson Date: Sat, 18 Nov 2023 15:50:51 +0100 Subject: [PATCH] WIP: combine scripts --- action.yaml | 17 +++++------------ github-auth | 19 ------------------- github-vault-auth | 31 +++++++++++++++++++++++++++++++ vault-auth | 20 -------------------- 4 files changed, 36 insertions(+), 51 deletions(-) delete mode 100755 github-auth create mode 100755 github-vault-auth delete mode 100755 vault-auth diff --git a/action.yaml b/action.yaml index 2071341..9edbd3c 100644 --- a/action.yaml +++ b/action.yaml @@ -52,20 +52,13 @@ runs: JWT_AUDIENCE: ${{ inputs.jwt_audience }} VAULT_SERVER: ${{ inputs.vault_server }} - - name: Request JWT from GitHub - id: github_auth + - name: Use GitHub OIDC to authenticate towards Vault + id: vault_auth shell: bash - run: "${ACTION_PATH}/github-auth" + run: "${ACTION_PATH}/github-vault-auth" env: ACTION_PATH: ${{ github.action_path }} AUDIENCE: ${{ steps.determine.outputs.audience }} - - - name: Self auth towards Vault - id: vault_self_auth - shell: bash - run: "${ACTION_PATH}/vault-auth" - env: - ACTION_PATH: ${{ github.action_path }} BACKEND: ${{ inputs.oidc_backend }} JWT_TOKEN: ${{ steps.github_auth.outputs.jwt_token }} ROLE: ${{ inputs.oidc_role }} @@ -78,7 +71,7 @@ runs: env: ACTION_PATH: ${{ github.action_path }} VAULT_SERVER: ${{ inputs.vault_server }} - VAULT_TOKEN: ${{ steps.vault_self_auth.outputs.vault_token }} + VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }} SSH_BACKEND: ${{ inputs.ssh_backend }} SSH_ROLE: ${{ inputs.ssh_role }} TMPDIR: ${{ runner.temp }} @@ -90,4 +83,4 @@ runs: curl --fail --silent --show-error --header "X-Vault-Token: ${VAULT_TOKEN}" --data "" "${VAULT_SERVER}/v1/auth/token/revoke-self" env: VAULT_SERVER: ${{ inputs.vault_server }} - VAULT_TOKEN: ${{ steps.vault_self_auth.outputs.vault_token }} + VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }} diff --git a/github-auth b/github-auth deleted file mode 100755 index 477bf2b..0000000 --- a/github-auth +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o noglob -set -o pipefail - -response=$(mktemp) -trap 'rm "$response"' EXIT - -curl \ - --fail \ - --silent \ - --show-error \ - --output "$response" \ - --header "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${AUDIENCE}" - -jwt=$(jq --exit-status --raw-output .value "$response") -echo "jwt_token=$jwt" >> "$GITHUB_OUTPUT" diff --git a/github-vault-auth b/github-vault-auth new file mode 100755 index 0000000..c0b000f --- /dev/null +++ b/github-vault-auth @@ -0,0 +1,31 @@ +#!/bin/bash +set -o errexit +set -o nounset +set -o noglob +set -o pipefail + +github_response=$(mktemp) +vault_response=$(mktemp) +trap 'rm "$github_response" "$vault_response"' EXIT + +curl \ + --fail \ + --silent \ + --show-error \ + --output "$github_response" \ + --header "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${AUDIENCE}" + +github_jwt=$(jq --exit-status --raw-output .value "$github_response") + +curl \ + --fail \ + --silent \ + --show-error \ + --output "$vault_response" \ + --data '{"jwt": "'"$github_jwt"'", "role": "'"$ROLE"'"}' \ + "${VAULT_SERVER}/v1/auth/${BACKEND}/login" + +vault_token=$(jq --exit-status --raw-output .auth.client_token "$vault_response") +echo "::add-mask::$vault_token" +echo "vault_token=$vault_token" >> "$GITHUB_OUTPUT" diff --git a/vault-auth b/vault-auth deleted file mode 100755 index 52f79c2..0000000 --- a/vault-auth +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset -set -o noglob -set -o pipefail - -response=$(mktemp) -trap 'rm "$response"' EXIT - -curl \ - --fail \ - --silent \ - --show-error \ - --output "$response" \ - --data '{"jwt": "'"$JWT_TOKEN"'", "role": "'"$ROLE"'"}' \ - "${VAULT_SERVER}/v1/auth/${BACKEND}/login" - -token=$(jq --exit-status --raw-output .auth.client_token "$response") -echo "::add-mask::$token" -echo "vault_token=$token" >> "$GITHUB_OUTPUT"