Hashicorp Vault with OIDC using Keycloak


Image by marcus-povery.co.uk

Vault (cli)

Image by cloudfoundry.org
export VAULT_TOKEN=<your root or access token>
$ vault auth enable oidc
$ vault write auth/oidc/config \
oidc_discovery_url="https://idms.example.com/auth/realms/vault.example.com" \
oidc_client_id="vault.example.com" \
oidc_client_secret="<OIDC-Client-Secret>" \
path "/secret/*" {
capabilities = ["read", "list"]
$ cat reader.hcl | vault policy write reader -
$ vault write auth/oidc/role/reader \
bound_audiences="vault.example.com" \
allowed_redirect_uris="https://vault.example.com/oidc/oidc/callback" \
allowed_redirect_uris="https://vault.example.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \

Login to Vault using OIDC and Keycloak


Error writing data to auth/oidc/config: Error making API request.URL: PUT
Code: 400. Errors:
* error checking oidc discovery URL: error creating provider with given values: NewProvider: unable to create provider: Get "https://idms.example.com/auth/realms/vault.example.com/.well-known/openid-configuration": x509: certificate signed by unknown authority



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store