authentik/website/integrations/services/hashicorp-vault/index.md

---
title: Hashicorp Vault
---

<span class="badge badge--primary">Support level: authentik</span>

## What is Vault

> Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
>
> -- https://vaultproject.io

:::note
This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in depth vault guide
:::

## Preparation

The following placeholders will be used:

-   `authentik.company` is the FQDN of authentik.
-   `vault.company` is the FQDN of Vault.

### Step 1

In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:

:::note
Only settings that have been modified from default have been listed.
:::

**Protocol Settings**

-   Name: Vault
-   Signing Key: Select any available key

-   Redirect URIs/Origins:

```
https://vault.company/ui/vault/auth/oidc/oidc/callback
https://vault.company/oidc/callback
http://localhost:8250/oidc/callback
```

:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
:::

### Step 2

In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.

:::note
Only settings that have been modified from default have been listed.
:::

-   Name: Vault
-   Slug: vault-slug
-   Provider: Vault

### Step 3

Enable the oidc auth method
`vault auth enable oidc`

Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider

```
vault write auth/oidc/config \
         oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
         oidc_client_id="Client ID" \
         oidc_client_secret="Client Secret" \
         default_role="reader"
```

Create the reader role

```
vault write auth/oidc/role/reader \
      bound_audiences="Client ID" \
      allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \
      allowed_redirect_uris="https://vault.company/oidc/callback" \
      allowed_redirect_uris="http://localhost:8250/oidc/callback" \
      user_claim="sub" \
      policies="reader"
```

You should then be able to sign in via OIDC
`vault login -method=oidc role="reader"`
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00			`---`
			`title: Hashicorp Vault`
			`---`

website/docs: support levels (#3103) * website/docs: add badges for integration level Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add badge for sources Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-15 19:31:34 +00:00			`<span class="badge badge--primary">Support level: authentik</span>`

website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00			`## What is Vault`

website/integrations: cite better (#6431) * update awx-tower to RHAAP Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate to new quotation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update all Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-07-31 10:16:58 +00:00			`> Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.`
			`>`
			`> -- https://vaultproject.io`
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00
			`:::note`
			`This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in depth vault guide`
			`:::`

			`## Preparation`

			`The following placeholders will be used:`

website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			- `authentik.company` is the FQDN of authentik.
			- `vault.company` is the FQDN of Vault.
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00
			`### Step 1`

website/integrations: add Netbox integration (#5683) * website: add Netbox integration * website: fix Netbox spelling mistakes * website: add NetBox groups and roles * website: NetBox use default property mapping ad base * website: add NetBox logout url Signed-off-by: Lars Lehmann <33843261+larsl-net@users.noreply.github.com> * website: fix NetBox logout url Signed-off-by: Lars Lehmann <33843261+larsl-net@users.noreply.github.com> * website: fix NetBox spelling Signed-off-by: Lars Lehmann <33843261+larsl-net@users.noreply.github.com> * small formatting fixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Lars Lehmann <33843261+larsl-net@users.noreply.github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> 2023-06-25 16:42:02 +00:00			`In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:`
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00
			`:::note`
			`Only settings that have been modified from default have been listed.`
			`:::`

			`Protocol Settings`

website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`- Name: Vault`
			`- Signing Key: Select any available key`

			`- Redirect URIs/Origins:`
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00
			```
			`https://vault.company/ui/vault/auth/oidc/oidc/callback`
			`https://vault.company/oidc/callback`
			`http://localhost:8250/oidc/callback`
			```
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00			`:::note`
			Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
			`:::`

			`### Step 2`

			`In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.`

			`:::note`
			`Only settings that have been modified from default have been listed.`
			`:::`

website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`- Name: Vault`
			`- Slug: vault-slug`
			`- Provider: Vault`
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00
			`### Step 3`

			`Enable the oidc auth method`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`vault auth enable oidc`
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00
			`Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00			```
			`vault write auth/oidc/config \`
			`oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \`
			`oidc_client_id="Client ID" \`
			`oidc_client_secret="Client Secret" \`
			`default_role="reader"`
			```

			`Create the reader role`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00
website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar 2022-02-27 23:03:18 +00:00			```
			`vault write auth/oidc/role/reader \`
			`bound_audiences="Client ID" \`
			`allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \`
			`allowed_redirect_uris="https://vault.company/oidc/callback" \`
			`allowed_redirect_uris="http://localhost:8250/oidc/callback" \`
			`user_claim="sub" \`
			`policies="reader"`
			```

			`You should then be able to sign in via OIDC`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`vault login -method=oidc role="reader"`