oidc-auth-method
bmcdonald05/oidc-auth-method/vault
Terraform module for the Vault provider for enabling the OIDC auth method and creating an identity group/alias for external group mappings.
terraform-vault-oidc-auth-method Terraform module for the Vault provider for enabling the OIDC auth method. Currently it creates the following items: - Enables the OIDC auth method at a configurable path - A default role for the OIDC auth method with either the "default" Vault policy or NO Vault policy - An external identity group that can be assigned additional Vault policies for permissions - An identity group alias attached to the external identity group for mapping external IdP groups The aim of this module is to solve a common scenario where a Vault operator needs to setup the OIDC auth method. The "default" role required for authentication will allow any user with valid credentials, and access to the OIDC application on the Identity Provider (IdP) side to successfully authenticate to
| Name | Type | Description | Default |
|---|---|---|---|
| user_claim | string | The claim to use to uniquely identify the user; this will be used as the name fo | "" |
| additional_policies | list(any) | List of strings. Additional policies to add to external groups as desired. | [
""
] |
| bound_issuer | string | The value against which to match the iss claim in a JWT. | null |
| claim_mappings | map(string) | If set, a map of claims (keys) to be copied to specified metadata fields (values | {} |
| provider_config | map(string) | Provider specific handling configuration. All values may be strings, and the pro | {} |
| bound_claims | map(string) | If set, a map of claims to values to match against. A claim's value must be a st | {} |
| oidc_discovery_url | string | The OIDC Discovery URL, without any .well-known component (base path). | "" |
| token_ttl | number | The incremental lifetime for generated tokens in number of seconds. Defaults to | 86400 |
| enable_debug_log | bool | Log received OIDC tokens and claims when debug-level logging is active to troubl | false |
| bound_claims_type | string | How to interpret values in the claims/values map (bound_claims): can be either s | "string" |
| oidc_response_types | list(any) | List of response types to request. Allowed values are 'code' and 'id_token'. Def | [
""
] |
| oidc_scopes | list(any) | If set, a list of OIDC scopes to be used with an OIDC role. The standard scope ' | [
""
] |
| bound_audiences | list(string) | List of aud claims to match against. Any match is sufficient. | [
""
] |
| no_default_policy | bool | If set, the default policy will NOT be set on generated tokens; otherwise it wil | false |
| oidc_client_secret | string | Client Secret used for OIDC backend. | "" |
| bound_subject | string | If set, requires that the sub claim matches this value. | null |
| oidc_client_id | string | Client ID used for OIDC backend. | "" |
| path | string | Path to mount the OIDC auth backend | "oidc" |
| external_group_identifier | string | Name of the group alias to create. This name needs to match the group identifier | "" |
| group_name | string | The actual name of the external identity group to create; defaults to 'oidc-admi | "oidc-admins-group" |
oidc_accessor — The accessor for this OIDC auth method.oidc_path — The path this OIDC auth method was enabled at.external_group_id — The ID of the created external groupexternal_group_alias_id — The ID of the created group alias