Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to write roles and policies in Hashicorp Vault using a pipeline

Tags:

gitlab

gitlab-omnibus

hashicorp-vault

I am using Hashicorp Vault for managing and storing my secrets. And using Gitlab as a CI/CD pipeline to read those secrets. Using this documentation https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/, I am able to read the secrets using JWT. But those secrets/roles/policies I had already configured from Vault CLI

What i want to know is if there is a way to create policies and roles using directly from the pipeline. For example 1st step is to create the role like this -

$ vault write auth/jwt/role/myproject-production - <<EOF
{
  "role_type": "jwt",
  "policies": ["myproject-production"],
  "token_explicit_max_ttl": 60,
  "user_claim": "user_email",
  "bound_claims_type": "glob",
  "bound_claims": {
    "project_id": "42",
    "ref_protected": "true",
    "ref_type": "tag",
    "ref": "auto-deploy-*"
  }
}
EOF

Here you can see I have attached a policy myproject-production to this role which will be created like this -

$ vault policy write myproject-production - <<EOF
# Policy name: myproject-production
#
# Read-only permission on 'secret/data/myproject/production/*' path
path "secret/data/myproject/production/*" {
  capabilities = [ "read" ]
}
EOF

How do i perform these 2 steps from a pipeline after Authentication happens successfully from Vault.? Right now what i am doing is when a new user comes in, I go and create policy and roles for him and the same the user uses in the pipeline to read the secrets.

like image 860
mikita agrawal Avatar asked Jan 19 '26 16:01

mikita agrawal

1 Answers

Perhaps you could do something like as follows?

import argparse
import json

def parse_args():
    parser = argparse.ArgumentParser(description="Generate JSON structure for a project ID")
    parser.add_argument('--project-id', required=True, help='Project ID')
    return parser.parse_args()

def generate_json_structure(project_id):
    data = {
        "role_type": "jwt",
        "policies": ["myproject-production"],
        "token_explicit_max_ttl": 60,
        "user_claim": "user_email",
        "bound_claims_type": "glob",
        "bound_claims": {
            "project_id": project_id,
            "ref_protected": "true",
            "ref_type": "tag",
            "ref": "auto-deploy-*"
        }
    }
    return json.dumps(data, indent=4)

def main():
    args = parse_args()
    json_output = generate_json_structure(args.project_id)
    print(json_output)

if __name__ == "__main__":
    main()
like image 75
Volodymyr Melnyk Avatar answered Jan 22 '26 08:01

Volodymyr Melnyk

Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!