habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: vault: add external group documentation (#11994)

Browse Source 
* Add external group documentation for vault

Signed-off-by: Mattis Haase <accounts@mattis-haase.de>

* Spelling changes, linting

---------

Signed-off-by: Mattis Haase <accounts@mattis-haase.de>
Co-authored-by: mzhaase <mattis@mattis-haase.de>
This commit is contained in:
Mattis Haase
2024-12-17 20:15:08 +01:00
committed by GitHub
parent b7a1a9c107
commit 3f788e7abe
1 changed files with 57 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
website/integrations/services/hashicorp-vault/index.md
View File

@ -88,8 +88,63 @@ vault write auth/oidc/role/reader \
policies="reader"
```
## External Groups
If you wish to manage group membership in Hashicorp Vault via Authentik you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group).
:::note
If you intend to create [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group) in Vault to manage user access the OIDC role will need to specifically request a custom scope using the `oidc_scopes` option when creating the OIDC role.
This assumes that the steps above have already been completed and tested.
:::
You should then be able to sign in via OIDC
### Step 1
In authentik, edit the OIDC provider created above. Under **Advanced protocol settings** add `authentik default OAuth Mapping: OpenID 'profile'` This includes the groups mapping.
### Step 2
In Vault, change the reader role to have the following settings:
```
vault write auth/oidc/role/reader \
bound_audiences="Client ID" \
allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://vault.company/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="reader" \
groups_claim="groups" \
oidc_scopes=[ "openid profile email" ]
```
Add a group.
```
vault write identity/group/reader \
name="reader" \
policies=["reader"] \
type="external"
```
Get the canonical ID of the group.
```
vault list identity/group/id
```
Get the ID of the OIDC accessor.
```
vault auth list
```
Add a group alias, this maps the group to the OIDC backend.
```
vault write identity/group-alias \
mount_accessor="auth_oidc_xxxxxx" \
canonical_id="group_id" \
name="group name in authentik"
```
You should then be able to sign in via OIDC.
`vault login -method=oidc role="reader"`