Configure OIDC auth using terraform
bartlett-ops opened this issue · 4 comments
Hi, apologies if this has been answered in another issue.
I'm attempting to configure vault to enable OIDC login using terraform, however I can't work out where I should be putting the oidc_client_id
etc.
I'm following the guide here, but I can't figure out how it lines up with the terraform resources here
If anyone can point me in the right direction I'd really appreciate it.
Hi, did you find a solution for this?
It's under the vault_jwt_auth_backend
: https://www.terraform.io/docs/providers/vault/r/jwt_auth_backend.html
I eventually solved this by using the vault_generic_endpoint
resource. Would the jwt_auth_backend
be more appropriate?:
resource "vault_auth_backend" "oidc" {
type = "oidc"
tune {
listing_visibility = "unauth"
}
}
resource "vault_generic_endpoint" "oidc_config" {
path = "auth/${vault_auth_backend.oidc.type}/config"
ignore_absent_fields = true
disable_delete = true
data_json = jsonencode(
{
oidc_discovery_url = "https://accounts.google.com"
oidc_client_id = var.oidc_client_id
oidc_client_secret = var.oidc_client_secret
default_role = "list-only"
}
)
}
@bartlettt I think it is. I'm using the jwt_auth_backend
and it worked fine.
e.g.
resource "vault_jwt_auth_backend" "oidc_config" {
description = "My OIDC auth config"
type = "oidc"
path = "oidc"
oidc_client_id = var.oidc_client_id
oidc_client_secret = var.oidc_client_secret
default_role = "list-only"
oidc_discovery_url = "https://accounts.google.com"
}
This resource also creates the backend.