{"id":22870281,"url":"https://github.com/dadav/keycloak-vault","last_synced_at":"2026-02-07T01:03:17.060Z","repository":{"id":234854619,"uuid":"677742472","full_name":"dadav/keycloak-vault","owner":"dadav","description":null,"archived":false,"fork":false,"pushed_at":"2023-08-12T13:42:48.000Z","size":549,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-14T00:47:02.073Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dadav.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-08-12T13:42:32.000Z","updated_at":"2023-08-12T13:42:32.000Z","dependencies_parsed_at":"2024-04-21T06:14:42.056Z","dependency_job_id":"724033fe-b010-4eac-b6e7-e7ef6f3a943b","html_url":"https://github.com/dadav/keycloak-vault","commit_stats":null,"previous_names":["dadav/keycloak-vault"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dadav/keycloak-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Fkeycloak-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Fkeycloak-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Fkeycloak-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Fkeycloak-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dadav","download_url":"https://codeload.github.com/dadav/keycloak-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadav%2Fkeycloak-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29183298,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-07T00:44:15.062Z","status":"ssl_error","status_checked_at":"2026-02-07T00:35:01.758Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-13T13:14:23.848Z","updated_at":"2026-02-07T01:03:17.045Z","avatar_url":"https://github.com/dadav.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Setup\n\nThe goal of this setup is to configure keycloak with vault.\n\n# Commands\n\n```bash\n# bring everything up\ndocker-compose up -d\n\n# bring everything down\ndocker-compose down\n```\n\n# Steps\n\n## Keycloak\n\n### Login\n\nOpen [keycloak](http://localhost:8080/) and use `root:root` to login as an admin.\n\n### Create a realm\n\nUse the dropdown menu in the top left to create a new realm.\n\n![create a realm](./images/realm.png)\n\n![set a realm name](./images/realm2.png)\n\n### Create a client\n\nSelect the created realm, then go to `Clients` and click `Create client`.\n\n![create a client](./images/create_client.png)\n\n![client settings 1](./images/client_settings1.png)\n\n![client settings 2](./images/client_settings2.png)\n\n![client settings 3](./images/client_settings3.png)\n\nNow create the vault client.\n\n### Map roles to token\n\nNow we need to tell keycloak that the user roles should be part of the id-token.\n\n![id token 1](./images/id-token1.png)\n\n![id token 2](./images/id-token2.png)\n\n![id token 3](./images/id-token3.png)\n\nNow inspect the created mapper and ensure that `Add to ID token` is switched `ON`.\n\n![id token 4](./images/id-token4.png)\n\nThe `token claim name` should be set to `resource_access.${client_id}.roles` by default. Remember\nthis information, because this is the path where the roles will be stored.\nThe id token which vault will get will look something like this:\n\n```json\n{\n    \"iss\": \"foo\",\n    \"sub\": \"bar\",\n    \"resource_access\": {\n        \"vault\": {\n            \"roles\": [\n                \"dev\"\n            ]\n        }\n    }\n}\n```\n\n### Create a user and role\n\nClick on `Users`, then `Add user`.\n\n![add user 1](./images/add_user1.png)\n\nChoose a username, click on `Email verified` and then `Create`.\n\n![add user 2](./images/add_user2.png)\n\nNow set a password by switching to the `Credentials` tab and pressing on `Set password`.\n\n![add user 3](./images/add_user3.png)\n\nI set `foobar` as my password.\nDon't forget to switch off the `Termporary` option.\n\n![add user 4](./images/add_user4.png)\n\nNow we need our `dev` role. For this, click on `Roles`, then `Create role`.\n\n![add role 1](./images/add_role1.png)\n\n![add role 2](./images/add_role2.png)\n\n### Assign user to role\n\nClick on `Users` and then on your user.\n\n![assign role to user 1](./images/assign_role1.png)\n\nSwitch to the `Role mapping` tab and click `Assign role`.\n\n![assign role to user 2](./images/assign_role2.png)\n\nSelect the `dev` role and then click `Assign`.\n\n![assign role to user 3](./images/assign_role3.png)\n\nAaaaaaaand we are done with the keycloak configuration.\n\n## Vault\n\nThe plan is to:\n\n1. Enable the oidc auth method\n2. Configure vault to use keycloak\n3. Map the keycloak roles to vault groups\n4. Assign policies to that groups\n\n### Set env vars\n\nFirst let's make sure we can connect to vault:\n\n```bash\nexport VAULT_ADDR=\"http://localhost:8200\"\nexport VAULT_TOKEN=\"root\"\nvault token lookup\n```\n\n\u003cdetails\u003e\n    \u003csummary\u003e\n        Expected output\n\u003c/summary\n\n    ```bash\n    14:40 ➜ vault token lookup                                                      \n    Key                 Value\n    ---                 -----\n    accessor            oqmYXn9VssJcQfnWTaDBCxdV\n    creation_time       1691841063\n    creation_ttl        0s\n    display_name        token\n    entity_id           n/a\n    expire_time         \u003cnil\u003e\n    explicit_max_ttl    0s\n    id                  root\n    issue_time          2023-08-12T11:51:03.904461013Z\n    meta                \u003cnil\u003e\n    num_uses            0\n    orphan              true\n    path                auth/token/create\n    policies            [root]\n    renewable           false\n    ttl                 0s\n    type                service\n    ```\n\u003c/details\u003e\n\n### Enable oidc auth method\n\n```bash\nvault auth enable oidc\n```\n\n### Configure the auth method\n\n```bash\nvault write auth/oidc/config \\\n    oidc_discovery_url=\"http://keycloak:8080/realms/foo\" \\\n    oidc_client_id=\"vault\" \\\n    oidc_client_secret=\"1Y6gvkgW3ChR4WVlgBJui3fgqOqvaD2N\" \\\n    default_role=\"default\"\n```\n\nOk, let me explain.\n\n**oidc_discovery_url**: This is just the URL to your realm. You can get this by \ngoing to your `Realm settings` and clicking on `OpenID Endpoint Configuration`.\n\n**oidc_client_id**: This is the client id we used in the beginning.\n\n**oidc_client_secret**: You can get this by going to your client config, going to\nthe `Credentials` tab and read the field `Client secret`.\n\n![client secret](./images/client_secret.png)\n\n**default_role**: The name of the default role every user gets who uses this auth method.\nThis role does not exist yet.\n\n### Let's create some vault policies\n\n```bash\n# Just allow listing secrets, no reading\nvault policy write listonly -\u003c\u003cEOF\npath \"/secret/*\" {\n    capabilities = [\"list\"]\n}\nEOF\n\n# Allow everything\nvault policy write manage -\u003c\u003cEOF\npath \"/secret/*\" {\n    capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\nEOF\n```\n\n### Adding the default role\n\n```bash\nvault write auth/oidc/role/default \\\n    bound_audiences=\"vault\" \\\n    allowed_redirect_uris=\"http://vault:8250/oidc/callback\" \\\n    allowed_redirect_uris=\"http://vault:8200/ui/vault/auth/oidc/oidc/callback\" \\\n    groups_claim=\"/resource_access/vault/roles\" \\\n    user_claim=\"sub\" \\\n    policies=listonly\n```\n\nIf you login now, you should be able to see the `secret/` mount.\nIn case you getting an error like `Missing auth_url.`, be sure to use the correct hostname.\nIt should match with the hostname you just configured in the `allowed_redirect_uris`\nparameter. I have an `127.0.0.1 vault` entry in my `/etc/hosts` file. If you don't have that,\nchange the parameter to `localhost`.\n\n### Map keycloak dev to vault manage policy\n\n```bash\n# Create an external group\nvault write identity/group name=\"developers\" type=\"external\" \\\n         policies=\"manage\" \\\n         metadata=responsibility=\"Manage Secrets\"\n\n# Create a group-alias which maps the dev group to the developers group\n# The name must match the keycloak role!\nvault write identity/group-alias name=\"dev\" \\      \n     mount_accessor=\"$(vault auth list -format=json  | jq -r '.\"oidc/\".accessor')\" \\        \n     canonical_id=\"$(vault read -field=id identity/group/name/developers)\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadav%2Fkeycloak-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdadav%2Fkeycloak-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadav%2Fkeycloak-vault/lists"}