yamanin/registry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
registry/registry/coder/modules/vault-token
History
Rowan Smith 5f3a559e83
feat: Add support for Vault namespaces to Vault modules (#554) 
## Description

Adds support for accessing auth mounts/secret engines located in a non
root namespace. Namespaces is a feature of Vault Enterprise.

## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [x] Feature/enhancement
- [ ] Documentation
- [ ] Other

## Module Information

**Path:** `registry/coder/modules/vault-github`  
**New version:** `v1.1.0`  
**Breaking change:** [ ] Yes [x] No

**Path:** `registry/coder/modules/vault-jwt`  
**New version:** `v1.2.0`  
**Breaking change:** [ ] Yes [x] No

**Path:** `registry/coder/modules/vault-token`  
**New version:** `v1.3.0`  
**Breaking change:** [ ] Yes [x] No

## Testing & Validation

- [x] Tests pass (`bun test`)
- [x] Code formatted (`bun fmt`)
- [x] Changes tested locally

## Related Issues

None

---------

Co-authored-by: DevCats <christofer@coder.com>
2025-11-20 10:48:13 -06:00
..
main.test.ts
feat(vault-token): make supplying a vault token optional (#90)
2025-05-15 22:12:36 +05:00
main.tf
feat: Add support for Vault namespaces to Vault modules (#554)
2025-11-20 10:48:13 -06:00
README.md
feat: Add support for Vault namespaces to Vault modules (#554)
2025-11-20 10:48:13 -06:00
run.sh
feat: Add support for Vault namespaces to Vault modules (#554)
2025-11-20 10:48:13 -06:00

README.md

display_name description icon verified tags
Hashicorp Vault Integration (Token) Authenticates with Vault using Token ../../../../.icons/vault.svg true
hashicorp
integration
vault
token

Hashicorp Vault Integration (Token)

This module lets you authenticate with Hashicorp Vault in your Coder workspaces using a Vault token.

variable "vault_token" {
  type        = string
  description = "The Vault token to use for authentication."
  sensitive   = true
}

module "vault" {
  source          = "registry.coder.com/coder/vault-token/coder"
  version         = "1.3.0"
  agent_id        = coder_agent.example.id
  vault_token     = var.token # optional
  vault_addr      = "https://vault.example.com"
  vault_namespace = "prod" # optional, vault enterprise only
}

Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:

vault kv get -namespace=coder -mount=secrets coder

or using the Vault API:

curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"

Configuration

To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address.

  1. Create a vault policy with read access to the secret mount you need your developers to access. 
    vault policy write read-coder-secrets - <<EOF
 path "coder/data/*" {
   capabilities = ["read"]
 }
 path "coder/metadata/*" {
   capabilities = ["read"]
 }
 EOF
  2. Create a token using this policy. 
    vault token create -policy="read-coder-secrets"
  3. Copy the generated token and use in your template.

Examples

Configure Vault integration and install a specific version of the Vault CLI

variable "vault_token" {
  type        = string
  description = "The Vault token to use for authentication."
  sensitive   = true
}

module "vault" {
  source            = "registry.coder.com/coder/vault-token/coder"
  version           = "1.3.0"
  agent_id          = coder_agent.example.id
  vault_addr        = "https://vault.example.com"
  vault_token       = var.token
  vault_cli_version = "1.19.0"
}