Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Serviceware/vault-plugin-secrets-keycloak
https://github.com/Serviceware/vault-plugin-secrets-keycloak
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/Serviceware/vault-plugin-secrets-keycloak
- Owner: Serviceware
- License: mpl-2.0
- Created: 2021-07-23T07:44:29.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-01-08T13:56:51.000Z (6 months ago)
- Last Synced: 2024-04-28T01:58:01.522Z (2 months ago)
- Language: Go
- Size: 390 KB
- Stars: 9
- Watchers: 3
- Forks: 3
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-keycloak - Vault Keycloak Plugin
README
# Keycloak Secrets via Vault
The purpose of this plugin is to provide Keycloak client secrets from Vault.
## SetupPlease read the [Vault Plugin](https://www.vaultproject.io/docs/plugins) documentation for how to enable and handle plugins in Vault.
### Register plugin
Unzip the release file and copy the plugin binary into the vault plugin folder:
```
unzip vault-plugin-secrets-keycloak_0.4.0_linux_amd64.zip
cp vault-plugin-secrets-keycloak_v0.4.0 /etc/vault/plugin/keycloak-client-secrets
```Then register the plugin:
```
vault plugin register -sha256= secret keycloak-client-secrets
```Now, the plugin can be used in Vault.
### Mount backend
Next, you have to mount a _keycloak-client-secrets_ backend. Do this either by command line:
```
vault secrets enable --path=keycloak-client-secrets keycloak-client-secrets
```or with Terraform:
```
resource "vault_mount" "keycloak-client-secrets" {
type = "keycloak-client-secrets"
path = "keycloak-client-secrets"
}
```### Create client
Create a client in Keycloak which should be used by vault to access the client secrets. You can use our
[Terraform plugin](https://registry.terraform.io/modules/Serviceware/keycloak-client/vaultkeycloak/latst) to this:```
provider "keycloak" {
url = "https://auth.example.org/auth"
client_id = "admin-cli"
}module "keycloak_vault_config" {
source = "Serviceware/keycloak-client/vaultkeycloak"
version = "0.1.2"
realm = "master"
vault_client_id = "vault"
}
```The plugin takes the credentials from the Keycloak provider.
### Default Configure connection
Now, you can register a connection to Keycloak with:
```
vault write keycloak-client-secrets/config/connection \
server_url="https://auth.example.org/auth" \
realm="master" \
client_id="vault" \
client_secret="secr3t"
```or by using our [vaultkeycloak](https://registry.terraform.io/providers/Serviceware/vaultkeycloak/latest) Terraform provider:
```
resource "vaultkeycloak_secret_backend" "keycloak-client-secrets-config" {
path = "keycloak-client-secrets"
server_url = "https://auth.example.org/auth"
realm = "master"
client_id = "vault"
client_secret = "secr3t"
}
```The client secret is taken from the credentials tab of the client configuration in Keycloak.
### Configure connection for specific realm
```
vault write keycloak-client-secrets/config/realms/realm123/connection \
server_url="https://auth.example.org/auth" \
client_id="vault" \
client_secret="secr3t"
```### Read client secret of "default" realm
Assuming, you have a client _my-client_ in Keycloak you can finally read the client secret with:
```
vault read keycloak-client-secrets/clients/my-client/secret
```The output looks like this:
```
Key Value
--- -----
client_secret some-very-secret-value
client_id my-client
issuer https://auth.example.org/auth/realms/master
```### Read client secret of specific realm
```
vault read keycloak-client-secrets/realms/my-realm/clients/my-client/secret
```The output looks like this:
```
Key Value
--- -----
client_secret some-very-secret-value
client_id my-client
issuer https://auth.example.org/auth/realms/master
```## Test Run
```bash
export VAULT_ADDR="http://127.0.0.1:8200
``````bash
make build && make start
``````
make enable
vault write keycloak/config/connection \
server_url="http://localhost:8080/auth" \
realm="master" \
client_id="vault" \
client_secret="sec3t"vault read keycloak/clients/foo/secret
```