Skip to content

feat(vault-jwt): allow specifying the vault jwt token directly #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(vault-jwt): allow specifying the vault jwt token directly #436

Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fbf7312
allow specifying the vault jwt token directly
moo-im-a-cow Apr 22, 2025
e3bb4e7
allow specifying the vault jwt token directly p2
moo-im-a-cow Apr 22, 2025
c171d28
update vaultjwt readme
moo-im-a-cow Apr 22, 2025
248c31c
Merge branch 'main' into vault-jwt-feat
moo-im-a-cow Apr 22, 2025
407655b
update readme
moo-im-a-cow Apr 22, 2025
28a70b0
update readme
moo-im-a-cow Apr 22, 2025
41f875e
update readme
moo-im-a-cow Apr 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion vault-jwt/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ variable "vault_addr" {
description = "The address of the Vault server."
}

variable "vault_jwt_token" {
type = string
description = "The JWT token used for authentication with Vault."
default = null
sensitive = true
}

Comment on lines +23 to +29
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add an example use case on how you would provide that token to the module? Are you fetching it externally through some API or another provider?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://gist.github.com/moo-im-a-cow/002e18137f5956893e610f85096e04e9#file-main-tf-L394-L422
this is how i'm currently generating the token, using another provider in the template

i'm doing this because i'd like to use a dedicated jwt token issued by coder for the workspace instead of passing through the token used to authenticate to coder

more info here: coder/coder#13127 (comment)

do you want the examples added to the commit in some way?
i'm unsure how documentation works here, but i'll do whatever is needed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you want the examples added to the commit in some way?
i'm unsure how documentation works here, but i'll do whatever is needed

We usually add example Terraform snippets in the README.md to guide users on possible ways the module can be used.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i've now added an example

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I would appreciate it if we could also add a vault policy that can use this new jwt token, scoped to workspace metadata.

variable "vault_jwt_auth_path" {
type = string
description = "The path to the Vault JWT auth method."
Expand All @@ -46,7 +53,7 @@ resource "coder_script" "vault" {
display_name = "Vault (GitHub)"
icon = "/icon/vault.svg"
script = templatefile("${path.module}/run.sh", {
CODER_OIDC_ACCESS_TOKEN : data.coder_workspace_owner.me.oidc_access_token,
CODER_OIDC_ACCESS_TOKEN : var.vault_jwt_token != null ? var.vault_jwt_token : data.coder_workspace_owner.me.oidc_access_token,
VAULT_JWT_AUTH_PATH : var.vault_jwt_auth_path,
VAULT_JWT_ROLE : var.vault_jwt_role,
VAULT_CLI_VERSION : var.vault_cli_version,
Expand Down