How to Fetch Secrets From HashiCorp Vault With OIDC in GitHub Actions
Vault JWT auth verifies the GitHub OIDC token and issues a short-lived Vault token, so vault-action can read paths without a stored Vault token.
Configure a Vault JWT auth role bound to your repo, grant id-token: write, then use hashicorp/vault-action with method: jwt to read secret paths into env vars.
Steps
- Create a Vault JWT auth role bound to your repo and branch.
- Grant
id-token: writein the job. - Use
hashicorp/vault-actionwithmethod: jwtand listsecrets.
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
jobs:
app:
runs-on: ubuntu-latest
steps:
- uses: hashicorp/vault-action@v3
with:
url: https://vault.example.com
method: jwt
role: gha-deploy
secrets: |
secret/data/app api_key | API_KEY
- run: ./deploy.sh # $API_KEY is set and maskedGotchas
- The JWT role
bound_claimsmust matchsub(e.g.repo:org/name:ref:refs/heads/main). - Set
bound_audiencesto the audience vault-action requests or auth fails.
Related guides
How to Read Secrets From AWS Secrets Manager in a Workflow in GitHub ActionsPull runtime secrets from AWS Secrets Manager in GitHub Actions with OIDC and the official action, exporting…
How to Authenticate to GCP With Workload Identity Federation in GitHub ActionsAuthenticate to Google Cloud from GitHub Actions using Workload Identity Federation and google-github-actions…