Configure OIDC auth using terraform

Question

Configure OIDC auth using terraform

bartlett-ops opened this issue 4 years ago · 4 comments

Hi, apologies if this has been answered in another issue.

I'm attempting to configure vault to enable OIDC login using terraform, however I can't work out where I should be putting the oidc_client_id etc.

I'm following the guide here, but I can't figure out how it lines up with the terraform resources here

If anyone can point me in the right direction I'd really appreciate it.

Answer 1 · 2020-04-13T13:52:20.000Z

Hi, did you find a solution for this?

Answer 2 · 2020-04-13T14:46:43.000Z

It's under the vault_jwt_auth_backend: https://www.terraform.io/docs/providers/vault/r/jwt_auth_backend.html

Answer 3 · 2020-04-14T09:42:05.000Z

I eventually solved this by using the vault_generic_endpoint resource. Would the jwt_auth_backend be more appropriate?:

resource "vault_auth_backend" "oidc" {
  type = "oidc"
  tune {
    listing_visibility = "unauth"
  }
}

resource "vault_generic_endpoint" "oidc_config" {
  path                 = "auth/${vault_auth_backend.oidc.type}/config"
  ignore_absent_fields = true
  disable_delete       = true
  data_json = jsonencode(
    {   
      oidc_discovery_url = "https://accounts.google.com"
      oidc_client_id     = var.oidc_client_id
      oidc_client_secret = var.oidc_client_secret
      default_role       = "list-only"
    }   
  )
}

Answer 4 · 2022-08-11T20:39:11.000Z

@bartlettt I think it is. I'm using the jwt_auth_backend and it worked fine.

e.g.

resource "vault_jwt_auth_backend" "oidc_config" {
    description              = "My OIDC auth config"
    type                     = "oidc"
    path                     = "oidc"
    
    oidc_client_id           = var.oidc_client_id
    oidc_client_secret       = var.oidc_client_secret
    default_role             = "list-only"
    oidc_discovery_url       = "https://accounts.google.com"
}

This resource also creates the backend.