Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

website/integrations: vault: add external group documentation #11994

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+57 −2
Open

website/integrations: vault: add external group documentation #11994

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
42f7e36
Add external group documentation for vault
mzhaase Nov 11, 2024
37a5e34
Spelling changes, linting
Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 57 additions & 1 deletion website/integrations/services/hashicorp-vault/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,64 @@ vault write auth/oidc/role/reader \
policies="reader"
```

## External Groups

If you wish to manage group membership in vault via Authentik you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you wish to manage group membership in vault via Authentik you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group).
If you wish to manage group membership in Hashicorp Vault via Authentik you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group).


:::note
If you intend to create [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group) in Vault to manage user access the OIDC role will need to specifically request a custom scope using the `oidc_scopes` option when creating the OIDC role.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does one no longer need to use the oidc_scopes option at all?

This assumes that the steps above have already been completed and tested.
:::

### Step 1

In authentik, edit the oidc provider created above. Unser "Advanced protocol settings" add "authentik default OAuth Mapping: OpenID 'profile'". This includes the "groups" mapping.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In authentik, edit the oidc provider created above. Unser "Advanced protocol settings" add "authentik default OAuth Mapping: OpenID 'profile'". This includes the "groups" mapping.
In authentik, edit the OIDC provider created above. Unser **Advanced protocol settings** add `authentik default OAuth Mapping: OpenID 'profile'` This includes the groups mapping.


### Step 2

In hashicorp vault, change the reader role
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In hashicorp vault, change the reader role
In Vault, change the reader role to have the following settings:


```
vault write auth/oidc/role/reader \
bound_audiences="Client ID" \
allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://vault.company/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="reader" \
groups_claim="groups" \
oidc_scopes=[ "openid profile email" ]
```

Add a group
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Add a group
Add a group.


```
vault write identity/group/reader \
name="reader" \
policies=["reader"] \
type="external"
```

Get the canonical id of the group
Copy link
Contributor

@tanberry tanberry Nov 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Get the canonical id of the group
Get the canonical ID of the group.

Copy link
Contributor

@tanberry tanberry Nov 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the canonical ID, let's add this full name: vault_identity_group


```
vault list identity/group/id
```

Get the id of the oidc accessor
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Get the id of the oidc accessor
Get the ID of the OIDC accessor.


```
vault auth list
```


Add a group alias, this maps the group to the oidc backend
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Add a group alias, this maps the group to the oidc backend
Add a group alias; this alias maps the group to the OIDC backend.


```
vault write identity/group-alias \
mount_accessor="auth_oidc_xxxxxx" \
canonical_id="group_id" \
name="group name in authentik"
```

You should then be able to sign in via OIDC
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a period at end of this sentence, please?

`vault login -method=oidc role="reader"`
Loading