--- # Configure Keycloak OIDC authentication in Vault. # # Creates: # - OIDC auth method (auth/oidc) # - OIDC config pointing to Keycloak realm # - Default OIDC role with groups claim # - Admin ACL policy # - External identity group mapped to vault_oidc_admin_group Keycloak group - name: Set Vault API auth headers ansible.builtin.set_fact: __vault_headers: X-Vault-Token: "{{ vault_vault_root_token }}" - name: Enable OIDC auth method ansible.builtin.uri: url: "{{ vault_url }}/v1/sys/auth/oidc" method: POST headers: "{{ __vault_headers }}" validate_certs: "{{ vault_validate_certs }}" body_format: json body: type: oidc description: Keycloak OIDC status_code: [200, 204, 400] register: __vault_enable_oidc no_log: true changed_when: __vault_enable_oidc.status in [200, 204] - name: Configure OIDC provider (Keycloak) ansible.builtin.uri: url: "{{ vault_url }}/v1/auth/oidc/config" method: POST headers: "{{ __vault_headers }}" validate_certs: "{{ vault_validate_certs }}" body_format: json body: oidc_discovery_url: "{{ vault_oidc_issuer }}" oidc_client_id: "{{ vault_oidc_client_id }}" oidc_client_secret: "{{ vault_vault_oidc_client_secret }}" default_role: default status_code: [200, 204] no_log: true - name: Create default OIDC role ansible.builtin.uri: url: "{{ vault_url }}/v1/auth/oidc/role/default" method: POST headers: "{{ __vault_headers }}" validate_certs: "{{ vault_validate_certs }}" body_format: json body: bound_audiences: - "{{ vault_oidc_client_id }}" allowed_redirect_uris: - "{{ vault_url }}/ui/vault/auth/oidc/oidc/callback" - "http://localhost:8250/oidc/callback" user_claim: preferred_username groups_claim: groups token_policies: - default token_ttl: "{{ vault_oidc_default_ttl }}" token_max_ttl: "{{ vault_oidc_max_ttl }}" status_code: [200, 204] no_log: true - name: Create admin ACL policy ansible.builtin.uri: url: "{{ vault_url }}/v1/sys/policies/acl/admin" method: POST headers: "{{ __vault_headers }}" validate_certs: "{{ vault_validate_certs }}" body_format: json body: policy: | path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } status_code: [200, 204] no_log: true - name: Create external identity group for admin ansible.builtin.uri: url: "{{ vault_url }}/v1/identity/group" method: POST headers: "{{ __vault_headers }}" validate_certs: "{{ vault_validate_certs }}" body_format: json body: name: "{{ vault_oidc_admin_group }}" type: external policies: - admin status_code: [200, 204] register: __vault_admin_group no_log: true - name: Get OIDC auth method accessor ansible.builtin.uri: url: "{{ vault_url }}/v1/sys/auth" method: GET headers: "{{ __vault_headers }}" validate_certs: "{{ vault_validate_certs }}" status_code: 200 register: __vault_auth_list no_log: true - name: Set OIDC accessor fact ansible.builtin.set_fact: __vault_oidc_accessor: "{{ __vault_auth_list.json['oidc/'].accessor }}" - name: Create group alias mapping Keycloak group to Vault admin group ansible.builtin.uri: url: "{{ vault_url }}/v1/identity/group-alias" method: POST headers: "{{ __vault_headers }}" validate_certs: "{{ vault_validate_certs }}" body_format: json body: name: "{{ vault_oidc_admin_group }}" mount_accessor: "{{ __vault_oidc_accessor }}" canonical_id: "{{ __vault_admin_group.json.data.id }}" status_code: [200, 204] no_log: true - name: Display OIDC configuration summary ansible.builtin.debug: msg: - "Vault OIDC configured:" - " Provider : {{ vault_oidc_issuer }}" - " Client : {{ vault_oidc_client_id }}" - " Admin group: {{ vault_oidc_admin_group }}" - "" - "Login at: {{ vault_url }}/ui" - "Select: OIDC → Sign in with Keycloak"