Vault
Example setup
This configuration is an example, which shows how you can connect OpenID Connect with Hashicorp Vault.
Create vault.json
with the following content:
{
"backend":{
"file":{
"path":"/vault/file"
}
},
"listener":{
"tcp":{
"address":"0.0.0.0:8200",
"tls_disable":1
}
},
"default_lease_ttl":"168h",
"max_lease_ttl":"168h",
"ui":true,
"log_level":"Debug"
}
Create docker-compose.yaml
with the following content:
services:
vault:
image: vault:latest
container_name: vault
environment:
VAULT_ADDR: http://127.0.0.1:8200
ports:
- "8200:8200"
volumes:
- ./volumes/vault:/vault/file:rw
- ./vault.json:/vault/config/vault.json:rw
cap_add:
- IPC_LOCK
entrypoint: vault server -config=/vault/config/vault.json -dev
Run it using docker-compose up
command.
Create root token using docker exec -it vault vault operator init -n 1 -t 1
, write down the root token and unseal key.
Defguard configuration
Go to OpenID Apps and click Add new button.
Use Scopes:
openid email profile
Use
http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback
as Redirect URICopy and save Client ID and Client secret, we will need them later.
Vault configuration
Unseal vault by accessing
http://127.0.0.1:8200/ui
and using unseal key.Login into Vault using method
TOKEN
and using root token.Navigate to Access -> Auth Methods and click Enable new method button.
Enable OIDC method.
Use values below:
OIDC discovery URL: https://defguard.company.net/
OIDC client ID: <YOUR_CLIENT_ID>
OIDC secret ID: <YOUR_CLIENT_SECRET>
Creating role in vault
Login into vault CLI using root token:
docker exec -it vault vault login <ROOT_TOKEN>
To create role
reader
use command below:
docker exec -it vault vault write auth/oidc/role/reader \
bound_audiences="<YOUR_CLIENT_ID>" \
allowed_redirect_uris="http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \
token_policies="default"
Now you can login into vault using Defguard. Use OIDC
as login method and role reader
. Please note this role will only allow you to login, to add permissions you need to create policy and assign it to role.
Last updated
Was this helpful?