hashicorp vault OIDC authentication

vault_oidc.md

installation

after installing vault run the following command to login:

the root token is printed to stdout on the first run.

$ vault login -method=token [your root token]

OIDC (openid connect)

write down your oidc configs, such as client_id and client_secret ...

enable oidc method in vault:

$ vault auth enable oidc

set oidc config in vault:

$ vault write auth/oidc/config \
  oidc_discovery_url="[provider url]" \
  oidc_client_id="[client_id]" \
  oidc_client_secret="[client_secret]" \
  default_role="reader" \
  oidc_scopes="openid profile email phone address groups" \
  bound_issuer="localhost"

create a reader policy in vault, we are going to assign this policy to our role:

path "secret/*" {
	capabilities = ["read", "list"]
}

create a role for our oidc, here we create a reader role

$ vault write auth/oidc/role/reader \
  bound_audiences="[client_id]" \
  allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback" \
  allowed_redirect_uris="http://localhost:8250/oidc/callback" \
  groups_claim="groups" \
  user_claim="sub" \
  policies=reader

login to vault using oidc method. this command opens your browser to log you in.

$ vault login -method=oidc role=reader

NOTE

after a successful login in any of above methods, if you want to change something in vault that requires root permissions, you need to login again with token method with the following command:

$ vault login -method=token [token]

Worth to mention articles:
hashicorp-vault-groups-integration-with-google-g-suite