Skip to content

Instantly share code, notes, and snippets.

@lightcode
Last active January 2, 2021 13:19
Show Gist options
  • Save lightcode/820a07fb61f70014fb3624e7f882a418 to your computer and use it in GitHub Desktop.
Save lightcode/820a07fb61f70014fb3624e7f882a418 to your computer and use it in GitHub Desktop.
S'authentifier à Vault avec Gitlab en OIDC | https://lightcode.fr/article/vault-gitlab-oidc/
variable gitlab_url {
type = string
description = "URL to Gitlab (example: https://gitlab.example.com)"
}
variable vault_url {
type = string
description = "URL to Vault (example: https://vault.example.com)"
}
variable oidc_client_id {
type = string
}
variable oidc_client_secret {
type = string
}
variable gitlab_group_name {
type = string
}
resource "vault_jwt_auth_backend" "gitlab_oidc" {
path = "oidc"
type = "oidc"
oidc_discovery_url = var.gitlab_url
oidc_client_id = var.oidc_client_id
oidc_client_secret = var.oidc_client_secret
bound_issuer = "localhost"
default_role = "demo"
}
resource "vault_jwt_auth_backend_role" "gitlab_oidc_demo" {
backend = vault_jwt_auth_backend.gitlab_oidc.path
role_type = vault_jwt_auth_backend.gitlab_oidc.type
role_name = "demo"
user_claim = "nickname"
groups_claim = "groups"
oidc_scopes = ["openid"]
allowed_redirect_uris = [
"http://localhost:8250/oidc/callback",
"${var.vault_url}/ui/vault/auth/oidc/oidc/callback"
]
token_policies = ["default"]
token_ttl = 3600
}
resource "vault_identity_group" "group" {
name = var.gitlab_group_name
type = "external"
policies = ["default", "gitlab-${var.gitlab_group_name}"]
}
resource "vault_identity_group_alias" "alias" {
name = vault_identity_group.group.name
mount_accessor = vault_jwt_auth_backend.gitlab_oidc.accessor
canonical_id = vault_identity_group.group.id
}
resource "vault_policy" "demo" {
name = "gitlab-${var.gitlab_group_name}"
policy = <<EOT
path "kv" {
capabilities = ["list"]
}
path "kv/demo/*" {
capabilities = ["list", "read", "create", "update", "delete"]
}
EOT
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment