Hashicorp Vault with OIDC using Keycloak
3 min readJun 30, 2021
I recently had to configure Hashicorps Vault to be integrated with our SSO provider Keycloak using Openid-Connect.
NOTE:
- You need a running and unsealed vault already.
- Vault is running at the URL: https://vault.example.com
- You need an admin login or be able to administer a Keycloak realm
- Keycloak is running at the URL: https://idms.example.com
Keycloak
- Go to your realm
- Realm Settings > General
Name = vault.example.com
- Clients > create
Client ID = vault.example.com
Client Protocol = openid-connect
- Clients > vault.example.com
Client ID = vault.example.com
Access Type = confidential
Valid Redirect URIs =
https://vault.example.com/oidc/oidc/callback
https://vault.example.com/ui/vault/auth/oidc/oidc/callback
save
- Clients > vault.example.com > Credentials > Secret (I refer as OIDC-Client-Secret later)
Vault (cli)
export VAULT_TOKEN=<your root or access token>
Enable OIDC as authentication mechanism
$ vault auth enable oidc
Write the OIDC Configuration
$ vault write auth/oidc/config \
oidc_discovery_url="https://idms.example.com/auth/realms/vault.example.com" \
oidc_client_id="vault.example.com" \
oidc_client_secret="<OIDC-Client-Secret>" \
default_role=reader
Create a policy file reader.hcl
path "/secret/*" {
capabilities = ["read", "list"]
}
Import the policy to vault
$ cat reader.hcl | vault policy write reader -
Deploy a Role for OIDC
$ vault write auth/oidc/role/reader \
bound_audiences="vault.example.com" \
allowed_redirect_uris="https://vault.example.com/oidc/oidc/callback" \
allowed_redirect_uris="https://vault.example.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \
policies=reader
Login to Vault using OIDC and Keycloak
Go to Vault https://vault.example.com
A new window will be opened, where you’ve to type your credentials.
After putting in the correct credentials you’ve to wait a second till the window will be closed.
Now you should be able to use Vault according to the policy you’ve created earlier.
Troubleshooting
Custom CA for web-certificates are in place
Error writing data to auth/oidc/config: Error making API request.URL: PUT http://127.0.0.1:8200/v1/auth/oidc/config
Code: 400. Errors:* error checking oidc discovery URL: error creating provider with given values: NewProvider: unable to create provider: Get "https://idms.example.com/auth/realms/vault.example.com/.well-known/openid-configuration": x509: certificate signed by unknown authority
You’ve to add your certificate chain to the request, see step Write the OIDC Configuration
Sources: