How to set up OIDC on Vault?
Just for the sake of clarity, we are talking about Hashicorp Vault here.
Create a policy
The first step is to write a policy for the users that will login
through OIDC. A good guide on Vault policies can be found
assume you wrote your policy document in a file named
mypolicy.hcl, you would then run this:
If you want to be sure, you can read it back:
To list the existing policies:
The next step is to enable the OIDC authentication method:
-path argument is optional. By default, the OIDC method is
oidc/, but you can use the
-path argument to change
that. If you do choose a different mount path, you can tune the UI to
make it more visible:
If you want to verify that your command worked, you can list the auth methods like so:
Make a note of the “mount accessor”, you will need it later. When you
vault auth list, the third column is the mount accessor, and it
The next step is to configure OIDC. This requires the OIDC client id, the OIDC client secret and the discovery URL from the OIDC provider.
We now need to create the role MYROLE for the OIDC auth method.
Create OIDC role
To create the OIDC role, you will need to know the allowed redirect URLs, as well as some details
verbose_oidc_logging=true parameter is useful for debugging when
setting things up. Please note that the overall Vault log level must
be set to
debug for this parameter to take effect. You should remove
this parameter when deploying to production.
groups_claim, etc. will vary. Maybe you will need
to add more claims, it all depends on your setup. Setting the policy
default is probably a good idea, because all users that will
login via OIDC will be assigned this policy. Fine-tuning in terms of
what users can access or not can be done by assigning additional
policies. In this article, we will assign additional policies through
groups. So an “admin” group can have very wide permissions, while a
“dev” group would have a narrower set of permissions.
Create the group
Now let’s create a group:
In the output, you will find the group id. Make a note of it, you will need it later. Please note the following:
- The group is of type “external”, because we want to be able to use it for users that login through OIDC
- The group name is “myteam”, which can be different from the group name on the OIDC provider
- We assigned the policy we created earlier
We now need to link this Vault group with the OIDC group:
GROUP_IDis the group id you noted down earlier
- The ‘MOUNT_ACCESSOR` is the mount access you noted down earlier
- The group name
theteamis the OIDC group name, which will be set as the value of the claim identified in the
groups_claimparameter when you created the OIDC role
Point your browser to your Vault UI. Select the
method. If you chose a non-standard mount path for the OIDC auth
method, you will need to click on “More options” and set the path
there. If you tuned the visibility of the OIDC auth method, you should
be able to see the non-standard mount path there.
Click on “Sign in with OIDC provider”. A pop-up will appear for you to authenticate with the OIDC provider, and give permission to Vault to use your account. If everything went well, you should now be logged in.
If on the OIDC provider you are a member of the
theteam group, you
should now have the policy
mypolicy attached to your token. You can
check your token like so. Click on the human figure in the top right
corner and click on “copy token”. On the command line, run the
following (paste the clipboard for TOKEN):
You should be able to see the
policies field set to
identity_policies set to
To login using the command line, run the following:
You can omit the
-path=MYPATH argument if you mounted the OIDC auth
method on the default path. A browser window should pop up, and the
rest is similar to logging in with the UI method explained above.