Hashicorp Vault
What is Vault
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in depth vault guide
Preparation
The following placeholders will be used:
authentik.company
is the FQDN of authentik.vault.company
is the FQDN of Vault.
Step 1
In authentik, create an OAuth2/OpenID Provider (under Applications/Providers) with these settings:
Only settings that have been modified from default have been listed.
Protocol Settings
-
Name: Vault
-
Signing Key: Select any available key
-
Redirect URIs/Origins:
https://vault.company/ui/vault/auth/oidc/oidc/callback
https://vault.company/oidc/callback
http://localhost:8250/oidc/callback
Take note of the Client ID
and Client Secret
, you'll need to give them to Vault in Step 3.
Step 2
In authentik, create an application (under Resources/Applications) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
Only settings that have been modified from default have been listed.
- Name: Vault
- Slug: vault-slug
- Provider: Vault
Step 3
Enable the oidc auth method
vault auth enable oidc
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
vault write auth/oidc/config \
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
oidc_client_id="Client ID" \
oidc_client_secret="Client Secret" \
default_role="reader"
Create the reader role
vault write auth/oidc/role/reader \
bound_audiences="Client ID" \
allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://vault.company/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="reader"
If you intend to create external groups in Vault to manage user access the OIDC role will need to specifically request a custom scope using the oidc_scopes
option when creating the OIDC role.
You should then be able to sign in via OIDC
vault login -method=oidc role="reader"