From 13adca07638b22ecd0c0eef788acb7fd76cf4c34 Mon Sep 17 00:00:00 2001 From: UniserveJake <98938059+UniserveJake@users.noreply.github.com> Date: Sun, 27 Feb 2022 15:03:18 -0800 Subject: [PATCH] website/integrations: add hashicorp vault integration to website (#2363) * add hashicorp vault basic instructions for hashicorp vault * removed auth0, updated redirect_uri's removed auth0, updated redirect_uri's to include localhost * Add hashicorp vault to app list Add hashicorp-vault to the applications sidebar --- .../services/hashicorp-vault/index.md | 85 +++++++++++++++++++ website/sidebarsIntegrations.js | 1 + 2 files changed, 86 insertions(+) create mode 100644 website/integrations/services/hashicorp-vault/index.md diff --git a/website/integrations/services/hashicorp-vault/index.md b/website/integrations/services/hashicorp-vault/index.md new file mode 100644 index 000000000..02349dc73 --- /dev/null +++ b/website/integrations/services/hashicorp-vault/index.md @@ -0,0 +1,85 @@ +--- +title: Hashicorp Vault +--- + +## What is Vault + +From https://vaultproject.io + +:::note +Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. +::: + +:::note +This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in depth vault guide +::: + +## Preparation + +The following placeholders will be used: + +- `authentik.company` is the FQDN of authentik. +- `vault.company` is the FQDN of Vault. + +### Step 1 + +In authentik, create an _OAuth2/OpenID Provider_ (under _Resources/Providers_) with these settings: + +:::note +Only settings that have been modified from default have been listed. +::: + +**Protocol Settings** + +- Name: Vault +- Signing Key: Select any available key + +- Redirect URIs/Origins: +``` +https://vault.company/ui/vault/auth/oidc/oidc/callback +https://vault.company/oidc/callback +http://localhost:8250/oidc/callback +``` +:::note +Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_. +::: + +### Step 2 + +In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings. + +:::note +Only settings that have been modified from default have been listed. +::: + +- Name: Vault +- Slug: vault-slug +- Provider: Vault + +### Step 3 + +Enable the oidc auth method +```vault auth enable oidc``` + +Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider +``` +vault write auth/oidc/config \ + oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \ + oidc_client_id="Client ID" \ + oidc_client_secret="Client Secret" \ + default_role="reader" +``` + +Create the reader role +``` +vault write auth/oidc/role/reader \ + bound_audiences="Client ID" \ + allowed_redirect_uris="https://vault.company/ui/vault/auth/oidc/oidc/callback" \ + allowed_redirect_uris="https://vault.company/oidc/callback" \ + allowed_redirect_uris="http://localhost:8250/oidc/callback" \ + user_claim="sub" \ + policies="reader" +``` + +You should then be able to sign in via OIDC +```vault login -method=oidc role="reader"``` diff --git a/website/sidebarsIntegrations.js b/website/sidebarsIntegrations.js index 074147161..9fa8a39e2 100644 --- a/website/sidebarsIntegrations.js +++ b/website/sidebarsIntegrations.js @@ -18,6 +18,7 @@ module.exports = { "services/gitlab/index", "services/grafana/index", "services/harbor/index", + "services/hashicorp-vault/index", "services/hedgedoc/index", "services/home-assistant/index", "services/matrix-synapse/index",