| display_name | Hashicorp Vault Integration (Token) | ||||
|---|---|---|---|---|---|
| description | Authenticates with Vault using Token | ||||
| icon | ../.icons/vault.svg | ||||
| maintainer_github | coder | ||||
| partner_github | hashicorp | ||||
| verified | true | ||||
| tags |
|
This module lets you authenticate with Hashicorp Vault in your Coder workspaces using a Vault token.
variable "vault_token" {
type = string
description = "The Vault token to use for authentication."
sensitive = true
}
module "vault" {
source = "registry.coder.com/modules/vault-token/coder"
version = "1.0.7"
agent_id = coder_agent.example.id
vault_token = var.token
vault_addr = "https://vault.example.com"
}Then you can use the Vault CLI in your workspaces to fetch secrets from Vault:
vault kv get -namespace=coder -mount=secrets coderor using the Vault API:
curl -H "X-Vault-Token: ${VAULT_TOKEN}" -X GET "${VAULT_ADDR}/v1/coder/secrets/data/coder"To configure the Vault module, you must create a Vault token with the the required permissions and configure the module with the token and Vault address.
- Create a vault policy with read access to the secret mount you need your developers to access.
vault policy write read-coder-secrets - <<EOF path "coder/data/*" { capabilities = ["read"] } path "coder/metadata/*" { capabilities = ["read"] } EOF
- Create a token using this policy.
vault token create -policy="read-coder-secrets" - Copy the generated token and use in your template.
variable "vault_token" {
type = string
description = "The Vault token to use for authentication."
sensitive = true
}
module "vault" {
source = "registry.coder.com/modules/vault-token/coder"
version = "1.0.7"
agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com"
vault_token = var.token
vault_cli_version = "1.15.0"
}