https://github.com/dadav/keycloak-vault
https://github.com/dadav/keycloak-vault
Last synced: 4 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/dadav/keycloak-vault
- Owner: dadav
- Created: 2023-08-12T13:42:32.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-08-12T13:42:48.000Z (almost 3 years ago)
- Last Synced: 2025-07-14T00:47:02.073Z (11 months ago)
- Size: 536 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Setup
The goal of this setup is to configure keycloak with vault.
# Commands
```bash
# bring everything up
docker-compose up -d
# bring everything down
docker-compose down
```
# Steps
## Keycloak
### Login
Open [keycloak](http://localhost:8080/) and use `root:root` to login as an admin.
### Create a realm
Use the dropdown menu in the top left to create a new realm.
### Create a client
Select the created realm, then go to `Clients` and click `Create client`.
Now create the vault client.
### Map roles to token
Now we need to tell keycloak that the user roles should be part of the id-token.
Now inspect the created mapper and ensure that `Add to ID token` is switched `ON`.
The `token claim name` should be set to `resource_access.${client_id}.roles` by default. Remember
this information, because this is the path where the roles will be stored.
The id token which vault will get will look something like this:
```json
{
"iss": "foo",
"sub": "bar",
"resource_access": {
"vault": {
"roles": [
"dev"
]
}
}
}
```
### Create a user and role
Click on `Users`, then `Add user`.
Choose a username, click on `Email verified` and then `Create`.
Now set a password by switching to the `Credentials` tab and pressing on `Set password`.
I set `foobar` as my password.
Don't forget to switch off the `Termporary` option.
Now we need our `dev` role. For this, click on `Roles`, then `Create role`.
### Assign user to role
Click on `Users` and then on your user.
Switch to the `Role mapping` tab and click `Assign role`.
Select the `dev` role and then click `Assign`.
Aaaaaaaand we are done with the keycloak configuration.
## Vault
The plan is to:
1. Enable the oidc auth method
2. Configure vault to use keycloak
3. Map the keycloak roles to vault groups
4. Assign policies to that groups
### Set env vars
First let's make sure we can connect to vault:
```bash
export VAULT_ADDR="http://localhost:8200"
export VAULT_TOKEN="root"
vault token lookup
```
Expected output
explicit_max_ttl 0s
id root
issue_time 2023-08-12T11:51:03.904461013Z
meta
num_uses 0
orphan true
path auth/token/create
policies [root]
renewable false
ttl 0s
type service
```
### Enable oidc auth method
```bash
vault auth enable oidc
```
### Configure the auth method
```bash
vault write auth/oidc/config \
oidc_discovery_url="http://keycloak:8080/realms/foo" \
oidc_client_id="vault" \
oidc_client_secret="1Y6gvkgW3ChR4WVlgBJui3fgqOqvaD2N" \
default_role="default"
```
Ok, let me explain.
**oidc_discovery_url**: This is just the URL to your realm. You can get this by
going to your `Realm settings` and clicking on `OpenID Endpoint Configuration`.
**oidc_client_id**: This is the client id we used in the beginning.
**oidc_client_secret**: You can get this by going to your client config, going to
the `Credentials` tab and read the field `Client secret`.
**default_role**: The name of the default role every user gets who uses this auth method.
This role does not exist yet.
### Let's create some vault policies
```bash
# Just allow listing secrets, no reading
vault policy write listonly -<