Terraform configuration to configure Vault with Okta using the OIDC auth plugin
module "okta" {
source = "onetwopunch/okta/vault"
version = "<version>"
okta_discovery_url = "<Okta Authorization Server Issuer>"
okta_client_id = "<Okta Vault App Client ID>"
okta_client_secret = "<Okta Vault App Client Secret>"
vault_addr = "https://<Vault Domain>:8200"
okta_bound_audiences = [
"api://vault",
"<Okta Vault App Client ID>"
]
roles = {
okta_admin = {
token_policies = ["admin"]
bound_groups = ["vault_admins"]
},
okta_devs = {
token_policies = ["devs"]
bound_groups = ["vault_devs"]
}
}
}
Login either via the UI or the CLI. If you want to get a local vault token, you'll need to run the following command, which will spin up a listener process by default on port 8250. You can override this with port=xxx in this command but you'll need to also update the redirect URIs in Okta and add the cli_port terraform variable.
vault login -method=oidc -path=okta_oidc role=okta-admin
For this to work, you'll need to be an Okta administrator:
Let's create two groups: vault_admins or something similar. These groups will be given permissions to do things within Vault. Within those groups, let's add some users in the Okta Admin console.
Okta has a default authorization server that you can either edit or create another one. You get to this setting by going to Security > API > Authorization Servers. For this, we'll create a new one.
Click Add Authorization Server. For name enter Vault, for audience enter api://vault, and then enter a meaningful description.
Now click into the authz server you just created and go to the Claims tab. We need to add a groups claim so Vault knows what group this user belongs to.
In the Claims tab, click on Add Claim with the following attributes:
- Name:
groups - Include in Token Type:
ID TokenAlways - Value Type: Groups
- Filter:
Starts with:vault_ - Include in:
The following scopes:profile
Click Create
This policy grants Vault access to read the necessary scopes to the authorization
In the Access Policy tab, click Add Policy and give it the following attributes:
- Name:
Vault Policy - Description:
Default policy for Vault - Assign to:
All clients
In that policy, we need to add a rule with the following attributes:
- Rule Name:
default - Grant Type:
Authorization CodeImplicit - User is:
Any user assigned the app - Scopes requested:
Any Scopes
The rest of the config is dependent on your standards.
Take note of the following fields from this step, which we'll input into Terraform:
Issuer URIwill be plugged in asoidc_discovery_urlandbound_issuerin the OIDC path configAudiencewill be plugged in as one of thebound_audiencesin the role config
We need to actually create a new web application for Vault to pop open the UI for Okta when requested.
Under Applications click, Add Application > Create New App with the following attributes:
- Platform:
Web - Sign on method:
OpenID Connect
Then in the configuration:
- Application Name:
Vault - Application logo: `
- Login Redirect URIs:
https://<vault-domain>:8200/ui/vault/<vault-path>/oidc/callback
Note the <vault-path> denoted in the login URI is whatever value you are planning on using for the mount path for the OIDC plugin. In our case we used okta_oidc
Click Save
Now edit the general settings to ensure:
- Allowed Grant Types:
Implicit (Hybrid)Allow ID Token with implicit grant type - Login initiated by:
App Only
Click the Sign On tab and edit:
OpenID Connect ID Tokento include the samegroupsclaim we added in the authorization server with the filtervault\_
Under Assignments add all the users or groups you want assigned to use Vault.
Under Okta API Scopes you'll need to grant the application acess to the following:
okta.groups.readokta.users.read.self
Take note of the following fields from this step, which we'll input into Terraform:
- Login Redirect URI will be plugged into the role config as one of
allowed_redirect_uris - Client ID and Client Secret will be plugged into the path config as
oidc_client_idandoidc_client_secretrespectively - Under
Sign On > OpenID Connect ID TokentheAudiencefield which looks like0oa...is passed in as a second value in thebound_audienceslist in the role config. - The groups you created that are prefixed by
vault\_can be passed in as theallowed_groupsvariable in the role config.
First export the following variables to point at your Vault cluster
export VAULT_ADDR=https://<vault-domain>:8200
export VAULT_CACERT=<path-to-ca-cert>
Then we use terraform to apply the changes:
terraform apply
| Name | Version |
|---|---|
| vault | ~> 2.11 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| okta_bound_audiences | A list of allowed token audiences | list |
n/a | yes |
| okta_client_id | Okta Vault app client ID | string |
n/a | yes |
| okta_client_secret | Okta Vault app client secret | string |
n/a | yes |
| okta_discovery_url | Okta Authz server Issuer URI: i.e. https://.okta.com/oauth2/ | string |
n/a | yes |
| vault_addr | Vault address in the form of https://domain:8200 | string |
n/a | yes |
| cli_port | Port to open locally to login with the CLI | number |
8250 |
no |
| okta_allowed_groups | Okta group for Vault admins | list |
[ |
no |
| okta_mount_path | Mount path for Okta auth | string |
"okta_oidc" |
no |
| roles | Map of Vault role names to their bound groups and token policies. Structure looks like this:roles = { |
map |
{} |
no |
| okta_default_lease_ttl | Default lease TTL for Vault tokens | string |
"768h" |
no |
| okta_max_lease_ttl | Maximum lease TTL for Vault tokens | string |
"768h" |
no |
| okta_token_type | Token type for Vault tokens | string |
"default-service" |
no |
| Name | Description |
|---|---|
| path | Okta OIDC auth path |
| roles | Role names created by this module |