Hashicorp Vault with OIDC using Keycloak

D. Heinrich
3 min readJun 30, 2021

I recently had to configure Hashicorps Vault to be integrated with our SSO provider Keycloak using Openid-Connect.

NOTE:

  • You need a running and unsealed vault already.
  • Vault is running at the URL: https://vault.example.com
  • You need an admin login or be able to administer a Keycloak realm
  • Keycloak is running at the URL: https://idms.example.com

Keycloak

Image by marcus-povery.co.uk
  • Go to your realm
  • Realm Settings > General
    Name = vault.example.com
  • Clients > create
    Client ID = vault.example.com
    Client Protocol = openid-connect
  • Clients > vault.example.com
    Client ID = vault.example.com
    Access Type = confidential
    Valid Redirect URIs =
    https://vault.example.com/oidc/oidc/callback
    https://vault.example.com/ui/vault/auth/oidc/oidc/callback
    save
  • Clients > vault.example.com > Credentials > Secret (I refer as OIDC-Client-Secret later)

Vault (cli)

Image by cloudfoundry.org
export VAULT_TOKEN=<your root or access token>

Enable OIDC as authentication mechanism

$ vault auth enable oidc

Write the OIDC Configuration

$ vault write auth/oidc/config \
oidc_discovery_url="https://idms.example.com/auth/realms/vault.example.com" \
oidc_client_id="vault.example.com" \
oidc_client_secret="<OIDC-Client-Secret>" \
default_role=reader

Create a policy file reader.hcl

path "/secret/*" {
capabilities = ["read", "list"]
}

Import the policy to vault

$ cat reader.hcl | vault policy write reader -

Deploy a Role for OIDC

$ vault write auth/oidc/role/reader \
bound_audiences="vault.example.com" \
allowed_redirect_uris="https://vault.example.com/oidc/oidc/callback" \
allowed_redirect_uris="https://vault.example.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \
policies=reader

Login to Vault using OIDC and Keycloak

Go to Vault https://vault.example.com

A new window will be opened, where you’ve to type your credentials.

After putting in the correct credentials you’ve to wait a second till the window will be closed.

Now you should be able to use Vault according to the policy you’ve created earlier.

Troubleshooting

Custom CA for web-certificates are in place

Error writing data to auth/oidc/config: Error making API request.URL: PUT http://127.0.0.1:8200/v1/auth/oidc/config
Code: 400. Errors:
* error checking oidc discovery URL: error creating provider with given values: NewProvider: unable to create provider: Get "https://idms.example.com/auth/realms/vault.example.com/.well-known/openid-configuration": x509: certificate signed by unknown authority

You’ve to add your certificate chain to the request, see step Write the OIDC Configuration

Sources:

--

--

D. Heinrich

Working as a IT-Operations engineer at NeXenio, a spin-off by Hasso-Plattner-Institute for products around a digitial workspace.