Create a GitHub Connection
Here you will want to enable the auth method for github via the CLI in your Vault instance.
Next configure the endpoint for Vault to communicate with GitHub
Here you will enable the GitHub org you are a part of to communicate with GitHub.
If you do not know how to create a GitHub org you can follow the documentation here: GitHub Org
Map Users or Teams in your GitHub organization to policies in Vault.
Example Vault policy for working with secrets.
path "secret/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "kv/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}Note: This is a broad policy in Vault and you may want to restrict how your github users interact with Vault.
Retrieve the GitHub token for the github user/group that is configured
vault_git_token<- get_github_token(url='vault.url.com',github_token='ghp_12345abcdef')Get/Retrieve secrets from Vault via the GitHub token
get_vault_data(url = "vault-url.com",path = "secret-path",token = vault_git_token)Wrap secrets via vault
This function allows you to wrap secrets from vault and send them securly to another person via plain text. The vault token returned is only good for a one time use.
wrap_secrets(url = "vault-url.com",token = vault_git_token ,secrets_to_wrap = list("one"=one,"two"=two),ttl = "30m")You will see the following error in the vault console if the token to wrap the secrets has already been utilized elsewhere.
Unwrap Error