ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
1862f2007438916b4f7d9c9601d4445660d06586
toallab-automation/roles/vault_setup/tasks/configure_oidc.yml

137 lines
4.0 KiB
YAML
Raw Blame History

---
# Configure Keycloak OIDC authentication in Vault.
#
# Creates:
# - OIDC auth method (auth/oidc)
# - OIDC config pointing to Keycloak realm
# - Default OIDC role with groups claim
# - Admin ACL policy
# - External identity group mapped to vault_oidc_admin_group Keycloak group
- name: Set Vault API auth headers
ansible.builtin.set_fact:
__vault_headers:
X-Vault-Token: "{{ vault_vault_root_token }}"
- name: Enable OIDC auth method
ansible.builtin.uri:
url: "{{ vault_url }}/v1/sys/auth/oidc"
method: POST
headers: "{{ __vault_headers }}"
validate_certs: "{{ vault_validate_certs }}"
body_format: json
body:
type: oidc
description: Keycloak OIDC
status_code: [200, 204, 400]
register: __vault_enable_oidc
no_log: true
changed_when: __vault_enable_oidc.status in [200, 204]
- name: Configure OIDC provider (Keycloak)
ansible.builtin.uri:
url: "{{ vault_url }}/v1/auth/oidc/config"
method: POST
headers: "{{ __vault_headers }}"
validate_certs: "{{ vault_validate_certs }}"
body_format: json
body:
oidc_discovery_url: "{{ vault_oidc_issuer }}"
oidc_client_id: "{{ vault_oidc_client_id }}"
oidc_client_secret: "{{ vault_vault_oidc_client_secret }}"
default_role: default
status_code: [200, 204]
no_log: true
- name: Create default OIDC role
ansible.builtin.uri:
url: "{{ vault_url }}/v1/auth/oidc/role/default"
method: POST
headers: "{{ __vault_headers }}"
validate_certs: "{{ vault_validate_certs }}"
body_format: json
body:
bound_audiences:
- "{{ vault_oidc_client_id }}"
allowed_redirect_uris:
- "{{ vault_url }}/ui/vault/auth/oidc/oidc/callback"
- "http://localhost:8250/oidc/callback"
user_claim: preferred_username
groups_claim: groups
token_policies:
- default
token_ttl: "{{ vault_oidc_default_ttl }}"
token_max_ttl: "{{ vault_oidc_max_ttl }}"
status_code: [200, 204]
no_log: true
- name: Create admin ACL policy
ansible.builtin.uri:
url: "{{ vault_url }}/v1/sys/policies/acl/admin"
method: POST
headers: "{{ __vault_headers }}"
validate_certs: "{{ vault_validate_certs }}"
body_format: json
body:
policy: |
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
status_code: [200, 204]
no_log: true
- name: Create external identity group for admin
ansible.builtin.uri:
url: "{{ vault_url }}/v1/identity/group"
method: POST
headers: "{{ __vault_headers }}"
validate_certs: "{{ vault_validate_certs }}"
body_format: json
body:
name: "{{ vault_oidc_admin_group }}"
type: external
policies:
- admin
status_code: [200, 204]
register: __vault_admin_group
no_log: true
- name: Get OIDC auth method accessor
ansible.builtin.uri:
url: "{{ vault_url }}/v1/sys/auth"
method: GET
headers: "{{ __vault_headers }}"
validate_certs: "{{ vault_validate_certs }}"
status_code: 200
register: __vault_auth_list
no_log: true
- name: Set OIDC accessor fact
ansible.builtin.set_fact:
__vault_oidc_accessor: "{{ __vault_auth_list.json['oidc/'].accessor }}"
- name: Create group alias mapping Keycloak group to Vault admin group
ansible.builtin.uri:
url: "{{ vault_url }}/v1/identity/group-alias"
method: POST
headers: "{{ __vault_headers }}"
validate_certs: "{{ vault_validate_certs }}"
body_format: json
body:
name: "{{ vault_oidc_admin_group }}"
mount_accessor: "{{ __vault_oidc_accessor }}"
canonical_id: "{{ __vault_admin_group.json.data.id }}"
status_code: [200, 204]
no_log: true
- name: Display OIDC configuration summary
ansible.builtin.debug:
msg:
- "Vault OIDC configured:"
- " Provider : {{ vault_oidc_issuer }}"
- " Client : {{ vault_oidc_client_id }}"
- " Admin group: {{ vault_oidc_admin_group }}"
- ""
- "Login at: {{ vault_url }}/ui"
- "Select: OIDC → Sign in with Keycloak"
Reference in New Issue View Git Blame Copy Permalink