Hashicorp vault running on AWS EC2 instance and trying to integrate the vault with Github actions using OIDC
Closed this issue · 1 comments
Describe the bug
Hashicorp vault running on AWS EC2 instance and trying to integrate the vault with Github actions using OIDC.
ERROR message:
::endgroup::
Error: connect ECONNREFUSED 127.0.0.1:8200
##[debug]Node Action run completed with exit code 1
To Reproduce
The yaml of the vault-action
step, with any sensitive information masked or removed.
- name: Get Secrets
id: secrets
uses: hashicorp/vault-action@v2.4.0
with:
url: ${{ secrets.VAULT_ADDR }}
token: ${{ secrets.VAULT_TOKEN }}
caCertificate: ${{ secrets.VAULTCERT }}
role: vault-github-poc-role
method: jwt
# path: gh-actions
secrets: |
secret/data/gh-vault password
Expected behavior
A clear and concise description of what you expected to happen.
Log Output
##[debug]Evaluating condition for step: 'Get Secrets'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Get Secrets
##[debug]Loading inputs
##[debug]Evaluating: secrets.VAULT_ADDR
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULT_ADDR'
##[debug]=> ''
##[debug]Result: ''
##[debug]Evaluating: secrets.VAULT_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULT_TOKEN'
##[debug]=> ''
##[debug]Result: ''
##[debug]Evaluating: secrets.VAULTCERT
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'VAULTCERT'
##[debug]=> '***
Run hashicorp/vault-action@v2.4.0
with:
url: ***
token: ***
caCertificate: ***
role: vault-github-role
method: jwt
secrets: secret/data/gh-poc password
kubernetesTokenPath: /var/run/secrets/kubernetes.io/serviceaccount/token
exportEnv: true
exportToken: false
tlsSkipVerify: false
jwtTtl: 3[60]
Get Vault Secrets
Error: connect ECONNREFUSED 127.0.0.1:8200
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Get Secrets
Additional context
Question is can we connect the hashicorp vault hosted on was ec2 instance or vault running as container in Kubernetes to GitHub secrets workflow? Or do we need to do this only via self hosted runners, please provide more details
Hey @scharishma-db , it looks like a network configuration issue rather than a vault-action bug so if that's ok I'll close this issue.
I can try to give pointers with the information you shared with us. If Vault is running on an EC2 instance, you must configure it so it is available from the Internet for the GitHub-hosted runner to be able to reach your Vault server running on AWS. AWS as a lot of documentation and tutorials on different methods to achieve this. One solution would be use an internet gateway and assign an ElasticIP to your EC2's IPv4 address so communication from the public Internet can reach your Vault server.
If you do not wish your Vault server to be accessible from the Internet, you will need to have self-hosted runners running on AWS and this time configure the proper internal network access so the runner can access your Vault server.
If your goal is to explore Vault & vault-action and you'd like a simple solution to get started, creating a free Vault cluster on the HashiCorp Cloud Platform would take care of all that network setup for you if a SaaS approach may interest you.
I hope it helps understand what's going on here, sorry if I can't give a more straightforward solution 😅 . If you have other questions feel free to re-open this issue!