hashicorp/vault-action

Hashicorp vault running on AWS EC2 instance and trying to integrate the vault with Github actions using OIDC

Closed this issue · 1 comments

Describe the bug
Hashicorp vault running on AWS EC2 instance and trying to integrate the vault with Github actions using OIDC.

ERROR message:
::endgroup::
Error: connect ECONNREFUSED 127.0.0.1:8200
##[debug]Node Action run completed with exit code 1
To Reproduce
The yaml of the vault-action step, with any sensitive information masked or removed.

    - name: Get Secrets
      id: secrets
      uses: hashicorp/vault-action@v2.4.0
      with:
        url: ${{ secrets.VAULT_ADDR }}
        token: ${{ secrets.VAULT_TOKEN }}
        caCertificate: ${{ secrets.VAULTCERT }}
        role: vault-github-poc-role
        method: jwt
        # path: gh-actions
        secrets: |
           secret/data/gh-vault password

Expected behavior
A clear and concise description of what you expected to happen.

Log Output
##[debug]Evaluating condition for step: 'Get Secrets'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Get Secrets
##[debug]Loading inputs
##[debug]Evaluating: secrets.VAULT_ADDR
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULT_ADDR'
##[debug]=> ''
##[debug]Result: '
'
##[debug]Evaluating: secrets.VAULT_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULT_TOKEN'
##[debug]=> ''
##[debug]Result: '
'
##[debug]Evaluating: secrets.VAULTCERT
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULTCERT'
##[debug]=> '***
Run hashicorp/vault-action@v2.4.0
with:
url: ***
token: ***
caCertificate: ***
role: vault-github-role
method: jwt
secrets: secret/data/gh-poc password

kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
exportEnv: true
exportToken: false
tlsSkipVerify: false
jwtTtl: 3[60]

Get Vault Secrets
Error: connect ECONNREFUSED 127.0.0.1:8200
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Get Secrets

Additional context

Question is can we connect the hashicorp vault hosted on was ec2 instance or vault running as container in Kubernetes to GitHub secrets workflow? Or do we need to do this only via self hosted runners, please provide more details

Hey @scharishma-db , it looks like a network configuration issue rather than a vault-action bug so if that's ok I'll close this issue.

I can try to give pointers with the information you shared with us. If Vault is running on an EC2 instance, you must configure it so it is available from the Internet for the GitHub-hosted runner to be able to reach your Vault server running on AWS. AWS as a lot of documentation and tutorials on different methods to achieve this. One solution would be use an internet gateway and assign an ElasticIP to your EC2's IPv4 address so communication from the public Internet can reach your Vault server.

If you do not wish your Vault server to be accessible from the Internet, you will need to have self-hosted runners running on AWS and this time configure the proper internal network access so the runner can access your Vault server.

If your goal is to explore Vault & vault-action and you'd like a simple solution to get started, creating a free Vault cluster on the HashiCorp Cloud Platform would take care of all that network setup for you if a SaaS approach may interest you.

I hope it helps understand what's going on here, sorry if I can't give a more straightforward solution 😅 . If you have other questions feel free to re-open this issue!