Hashicorp Vault - Part1 - Google OIDC
How to enable and use Google OIDC Authentication on Vault.
On Google/GSuite side:
-
Create a new project from Google Cloud Platform (example “Vault Project”)
-
Select the “Vault Project” from the drop-down menu at the top of the page
-
Click on “OAuth consent screen”, then select User Type “Internal”, to only allow people from you organization.
-
On the same page, Edit App and add App information - App name “MyVaultApp”, User support email “admin@mydomain.com”. Then add App domain info - Authorized domains “mydomain.com”, and Developer contact information “admin@mydomain.com”.
-
Continue by selecting scopes: “../auth/userinfo.email”, “../auth/userinfo.profile” and “openid”. Done with the consent screen.
-
Create Credentials. Select “Web Application” for Application type and for the Name put “MyVaultApp”.
-
For the “Authorized redirect URIs” you will need to add the oidc callback address of the Vault server - “vault.mydomain.com/ui/vault/auth/oidc/oidc/callback”. Save the credentials that are shown. Done with the credentials.
-
Create a Service Account. Name and ID “myvault-sa”.
-
Select the “Owner” Role when asked to grant the service account access to the app.
-
Copy the Service Account Unique ID, it will be needed later.
-
Create a new JSON key for the Service Account. Download the JSON file.
-
In Credentials and Service Account, enable the “Domain-wide Delegation” option.
-
Go to Google Admin page and navigate to Security > API Controls > Domain-wide Delegation and add the following scopes: “https://www.googleapis.com/auth/admin.directory.group.readonly" and “https://www.googleapis.com/auth/admin.directory.user.readonly"
-
Then go to the APIs page and enable the Admin SDK API.
On Vault side:
-
Create a Kubernetes secret that contains the JSON file from before
kubectl create secret generic vault-sa-key --from-file=./vault-sa-key.json -n vault
(assuming Vault is running on the “vault” namespace). -
Mount the secret on the Vault pods
-
Enable Vault OIDC authentication:
vault auth enable oidc
-
Setup the Authentication backend:
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "**your_client_id**",
"oidc_client_secret": "**your_client_secret**",
"default_role": "**your_default_role**",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/etc/config/vault-sa-key.json",
"gsuite_admin_impersonate": "admin@mydomain.com",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5
}
}
EOF
- Create some Vault policies and roles. Example role:
vault write auth/oidc/role/admin -<<EOF
{
"bound_audiences": "**Google OAuth Client ID**",
"allowed_redirect_uris": "https://vault.mydomain.com/ui/vault/auth/oidc/oidc/callback",
"oidc_scopes": [
"email"
],
"user_claim": "email",
"groups_claim": "groups",
"policies": "**some_vault_policy**",
"verbose_oidc_logging": "false",
"claim_mappings": {
"email": "email"
},
"bound_claims": {
"groups": ["**somegroup**@mydomain.com"]
}
}
EOF
- Done! People from the domain can now sign up on Vault using their Google email. You should be able to create Vault policies and roles and bound them to different Google groups, so that you can restrict who can access what.
Some of the above steps have been simplified. Not everything in this post is best practice, some details have been left out, some properties have been given “template” values. Make sure you adhere to best security practices when setting up your Vault.
If all this seems a bit confusing and you need some help, feel free to send me a message, I’ll be happy to help you.
If this helped you, please feel free to give me a tip! https://ko-fi.com/kostavro