trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/integrations/services/hashicorp-vault/index.md

92 lines
2.4 KiB
Markdown
Raw Normal View History

website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
---
title: Hashicorp Vault
---
website/docs: support levels (#3103) * website/docs: add badges for integration level Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add badge for sources Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-15 19:31:34 +00:00
<span class="badge badge--primary">Support level: authentik</span>
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
## What is Vault
From https://vaultproject.io
:::note
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
:::
:::note
This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in depth vault guide
:::
## Preparation
The following placeholders will be used:
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
- `authentik.company` is the FQDN of authentik.
- `vault.company` is the FQDN of Vault.
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
### Step 1
In authentik, create an _OAuth2/OpenID Provider_ (under _Resources/Providers_) with these settings:
:::note
Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
- Name: Vault
- Signing Key: Select any available key
- Redirect URIs/Origins:
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
```
https://vault.company/ui/vault/auth/oidc/oidc/callback
https://vault.company/oidc/callback
http://localhost:8250/oidc/callback
```
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
:::
### Step 2
In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
:::note
Only settings that have been modified from default have been listed.
:::
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
- Name: Vault
- Slug: vault-slug
- Provider: Vault
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
### Step 3
Enable the oidc auth method
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
`vault auth enable oidc`
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
```
vault write auth/oidc/config \
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
oidc_client_id="Client ID" \
oidc_client_secret="Client Secret" \
default_role="reader"
```
Create the reader role
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar
2022-02-27 23:03:18 +00:00
```
vault write auth/oidc/role/reader \
bound_audiences="Client ID" \
allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://vault.company/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="reader"
```
You should then be able to sign in via OIDC
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-09 19:22:41 +00:00
`vault login -method=oidc role="reader"`