Introduction

When configuring the Vault GitHub Action, one thing that commonly needs done is configuring a CA Certificate within GitHub so that TLS communication to the Vault Server can occur successfully. This can be a bit tricky to setup if it is your first time doing so, so we will walk through it.

Procedure

Firstly, if just getting started with the Vault GitHub Action, then this tutorial is a great place to start and understand the basics of implementation. The GitHub Action is configured using YAML. An example usage of this configuration can be found below.

jobs:
    build:
        # ...
        steps:
            # ...
            - name: Import Secrets
              uses: hashicorp/vault-action@v2.4.0
              with:
                url: https://vault.mycompany.com:8200
                token: ${{ secrets.VAULT_TOKEN }}
                caCertificate: ${{ secrets.VAULT_CA_CERT }}
                secrets: |
                    secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ;
                    secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ;
                    secret/data/ci npm_token

As you can see, the caCertificate input is being set to the ${{ secrets.VAULT_CA_CERT }}. This correlates to a secret which you configure in your GitHub repository called VAULT_CA_CERT. When you're wondering what to set the VAULT_CA_CERT secret to, you can refer to the GitHub input reference here. As per the input reference, the value of caCertificate should be: "Base64 encoded CA certificate the server certificate was signed with".

Let's break this down and evaluate it. Firstly, your CA certificate should be your entire CA chain. The CA chain represents the entire chain of trust associated with your certificate. This means that you can't simply configure this value to be the root CA, you must have the entire chain. The chain should include certificates appended one after another. A certificate chain with 2 certificates in it would look like the following.

Once you have your certificate chain in the correct order in a file, you can then tackle the last requirement - base64 encoding the chain. This part is pretty simple. You can cat out the file and pipe it into the base64 utility to get a resultant base64 encoded certificate chain. The process looks like the following.

$ cat vault-ca.crt | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzRENDQXBpZ0F3SUJBZ0lVZi9jM25KWkl1
Nlc0QmxpVWxxMlRqTVdJNHQ0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxa
WGhoYlhCc1pTNWpiMjB3SGhjTk1qSXdOREE0TVRnek1qVTJXaGNOTWpjdwpOREEzTVRnek16STJX
akF0TVNzd0tRWURWUVFERXlKbGVHRnRjR3hsTG1OdmJTQkpiblJsY20xbFpHbGhkR1VnClFYVjBh
Rzl5YVhSNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBekh1dy81
N0YKVmhwK0t1M0VQamIweE1CK1VFS05TcTFLai95QWJRQXExaE15bU5rL1d2cUNjaWpHMlkzbmt3
Qk1SVks2WHgvRwpUN2x6aHgzTDRRMUdiNDRBMU1rUlpyTGJqVXM0MnVPd2tocXJCMXVzSDBVYy90
RU1rb2xRM21Ob0V1aXVQeGdsCjdwRWhHRDNvMnlZaXFER0JrN05sRzhNa2QrSnh6QnB3emUxLy9V
TXVZYnVBNTVRWUZPVm5INjlNVUVhVEJGaDUKa3RzYjl5Q21YZmpTeUxWNXp6VURFb21USWttQldB
bWF6WHVnbm9jUkx2VWR0bENBVmVVTXIwZWMzSXJ3ZjN4QQpUeG5IZlJPc0x3bG90anlmaVRKdHZJ
RVZ5a0tyV0xnSytrNkNKUkZidVJaQTlJYUZkRmliSG1sanAyOFV6SmswCkhxRk9INXhNTVpzWk93
SURBUUFCbzRIZU1JSGJNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEUKQlRBREFR
SC9NQjBHQTFVZERnUVdCQlJYRnB4RFFYdDV5MHVIVVZaeWdNbEF6ZmJRY1RBZkJnTlZIU01FR0RB
VwpnQlNGNDcwNTZ3Ym1yWjMrYXlFcERIMVpJaVpOenpCQUJnZ3JCZ0VGQlFjQkFRUTBNREl3TUFZ
SUt3WUJCUVVICk1BS0dKR2gwZEhBNkx5OHhNamN1TUM0d0xqRTZPREl3TUM5Mk1TOXdhMmxmY205
dmRDOWpZVEEyQmdOVkhSOEUKTHpBdE1DdWdLYUFuaGlWb2RIUndPaTh2TVRJM0xqQXVNQzR4T2pn
eU1EQXZkakV2Y0d0cFgzSnZiM1F2WTNKcwpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFIQTh4
VUt6azMxdm10TUlpcGwxaTlQbUpMc1RkTGNmbnJ6RUJnCldONkMvb3BibjNJTDBIYU5sQU1WTjV4
VTlTWXlDMUxBa0FaUjBPTFZRblV6TXc5RlM0b2Nyc1hyRFRpZUNkcnoKdVlKR2E3a0FEaWNRSFcx
MzJiOW4vWXB4QkZuTnRCM0FXZmVhbjV3NUxVcXp1Qmw1VXFQQXY3bjUyejF2K2xoYQpTL1RpbjRS
czQxeXBIRmdKL2dmTWFYRDJOd3hGUlZaVkVLTTdiTkVQTFhuVUIzdmJlaVVZVVRnOVVvdjBVN05U
ClBtb2ovYmZiSkpPWW1jamVNc3NLMVhtYlM4NmlET0lSb1ZCNVRKU3YzRkJjTm9ZTmRMU1U0WW9U
YXoyb2dqNUUKVHlIK0ZWQklzb2NOcUl5UU9XT1ZUTEVxZU9rZzVOS0hYcE4yZHRFNC9aOXFERm5n
Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1J
SUROVENDQWgyZ0F3SUJBZ0lVYXcx2ErcEZDVHNGNTlvVStnSThwNmw0cGw0d0RRWUpLb1pJaHZj
TkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxaWGhoYlhCc1pTNWpiMjB3SGhjTk1qSXdOREE0TVRn
ek1qVXhXaGNOTXpJdwpOREExTVRnek16SXhXakFXTVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG1O
dmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNYk8rYzVjNTkr
cUExeFFSU2ZHWlBGODN2SzRjYjBFWpRQXJrWGcKTWRDWWU5WU5meWM0L2VjcWpHRnNEVzZ0VHJx
am1TSnNhNmpKbWgyMHFVa1BZWHlTMDFNbE9zeVBMdDlrS0JnVQpzaG5sS0FJMGpKVjBpd29JbGRT
LzNBNHdYUWdlRHdMckViMkFYSGRPNnFsRlBablVCOEl4cXVWcUYwdDBTMnc4CnZQRzNZdU8ybUU3
MFY4SjlZcU1ZQTFMaU51ZUxHbTJWUlpObktFNGpVR3FNRGhscnlZZWhnSldhZ3ZPMGp1UWYKWS9I
M0x0bTNnK2FZcVZJTVMzdHAraWlqdGcyWGZFam9HZGpkNW9OYm1PNzdSUW9ub21XSW5EcjJhMnpM
SWV4aApmR25Eby9WcG9tZkpnT0xXbXJwTUV3ZWF1aTQySGpURmJjVFFPMndldUdJbnB3VUNBd0VB
QWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlE
VlIwT0JCWUVGSVhqdlRuckJ1YXQKbmY1cklTa01mVmtpSmszUE1COEdBMVVkSXdRWU1CYUFGSVhq
dlRuckJ1YXRuZjVySVNrTWZWa2lKazNQTUJZRwpBMVVkRVFRUE1BMkNDMlY0WVcxd2JHVXVZMjl0
TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDbWRGODU1ZzhUClcydm5lS1dtbVhEMkxLTUZGYUdy
Njd5U05NVXM1KzZmQlNPQnBxQXpXUjgvMVpFc3BacVQxbVRmbElKSWJYeHYKWmU5RTZmanRZWGJk
U1V1NzBFVWM1SkYvMjVQeWZXd2NiQnZONGYrZitiUHdlYVJpVmFhck9wOU80cERzWkhEWQpZdnox
Y3BPbXNwcURaWjNiZ21wNzdHNncvMEUxMzJrOGNRckVtSFZCbURjK09lQWM0OWN3cVRJY3BJaVlK
aVZRClVHTEliSmtrQzRNSmdVQktLNW5SdzBWT3J5TnBrbldWVjE4bHBSSWxvMFRmM1RFQ3JSOE9r
WEdPRnppSlZ1VUsKYzJuUk11QWxZaThUZHFSc1lXVGFjK3NtdWk3MHZxclpHR2Nnb2hGalBqV0dt
aDVTNXpERlpPNVIxbUVoYmdycAphUFEzL1hZTjl2WmQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0t
LQo=

Once you have the base64 string, the last step is to copy that string exactly as it is into your VAULT_CA_CERT GitHub secret. Then your YAML template will reference that secret and assign it's value to the caCertificate input, and that's it!

Configuring Vault CA Cert for GitHub Actions

Introduction

Procedure

Articles in this section

Introduction

Procedure

Articles in this section

Related articles