yamanin/registry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
registry/registry/coder/modules/vault-token
History
Birdie Kingston a8d92df7d5
feat(vault-token): add optional vault enterprise namespace variable (#108) 
Added an optional envvar to vault-token module to handle communicating
with a non default vault namespace.

in vault enterprise, you can run multiple secure isolated vault
environments from the one vault server.
each namespace has it's own authentication methods and secrets engines. 
vault uses the VAULT_NAMESPACE envvar to determine the namespace to use.
no value, or either `root` or `/` will use the root (default) namespace,
any other value will use a different namespace

in vault community edition, the only supported namespace is "root", no
other namespaces can be used.

in HCP vault dedicated (the saas hosted version), you cant access vault
without a namespace set

this defaults to not setting the env var, so is backwards compatible,
and works with vault CE

---------

Co-authored-by: Birdie K <5210502+moo-im-a-cow@users.noreply.github.com>
2025-05-27 19:57:14 -05:00
..
main.test.ts
feat(vault-token): make supplying a vault token optional (#90)
2025-05-15 22:12:36 +05:00
main.tf
feat(vault-token): add optional vault enterprise namespace variable (#108)
2025-05-27 19:57:14 -05:00
README.md
feat(vault-token): add optional vault enterprise namespace variable (#108)
2025-05-27 19:57:14 -05:00
run.sh
chore: migrate all Coder modules to Registry repo (#4)
2025-04-17 09:49:54 -04:00

README.md

display_name description icon maintainer_github partner_github verified tags
Hashicorp Vault Integration (Token) Authenticates with Vault using Token ../../../../.icons/vault.svg coder hashicorp true
hashicorp
integration
vault
token

Hashicorp Vault Integration (Token)

This module lets you authenticate with Hashicorp Vault in your Coder workspaces using a Vault token.

variable "vault_token" {
  type        = string
  description = "The Vault token to use for authentication."
  sensitive   = true
}

module "vault" {
  source          = "registry.coder.com/coder/vault-token/coder"
  version         = "1.2.0"
  agent_id        = coder_agent.example.id
  vault_token     = var.token # optional
  vault_addr      = "https://vault.example.com"
  vault_namespace = "prod" # optional, vault enterprise only
}

Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:

vault kv get -namespace=coder -mount=secrets coder

or using the Vault API:

curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"

Configuration

To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address.

  1. Create a vault policy with read access to the secret mount you need your developers to access. 
    vault policy write read-coder-secrets - <<EOF
 path "coder/data/*" {
   capabilities = ["read"]
 }
 path "coder/metadata/*" {
   capabilities = ["read"]
 }
 EOF
  2. Create a token using this policy. 
    vault token create -policy="read-coder-secrets"
  3. Copy the generated token and use in your template.

Examples

Configure Vault integration and install a specific version of the Vault CLI

variable "vault_token" {
  type        = string
  description = "The Vault token to use for authentication."
  sensitive   = true
}

module "vault" {
  source            = "registry.coder.com/coder/vault-token/coder"
  version           = "1.2.0"
  agent_id          = coder_agent.example.id
  vault_addr        = "https://vault.example.com"
  vault_token       = var.token
  vault_cli_version = "1.19.0"
}