Skip to content
Latchkey

How to Fetch Secrets From HashiCorp Vault With OIDC in GitHub Actions

Vault JWT auth verifies the GitHub OIDC token and issues a short-lived Vault token, so vault-action can read paths without a stored Vault token.

Configure a Vault JWT auth role bound to your repo, grant id-token: write, then use hashicorp/vault-action with method: jwt to read secret paths into env vars.

Steps

  • Create a Vault JWT auth role bound to your repo and branch.
  • Grant id-token: write in the job.
  • Use hashicorp/vault-action with method: jwt and list secrets.

Workflow

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
jobs:
  app:
    runs-on: ubuntu-latest
    steps:
      - uses: hashicorp/vault-action@v3
        with:
          url: https://vault.example.com
          method: jwt
          role: gha-deploy
          secrets: |
            secret/data/app api_key | API_KEY
      - run: ./deploy.sh   # $API_KEY is set and masked

Gotchas

  • The JWT role bound_claims must match sub (e.g. repo:org/name:ref:refs/heads/main).
  • Set bound_audiences to the audience vault-action requests or auth fails.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →