Identity based SSH with Vault and Keycloak. | Part 1/3

Step by Step Guide for Configuring Vault + KeyCloak OIDC

SSH Signed Certificate Authentication | Check above slides here

Setup

git clone https://gitlab.com/drpdishant/vault-ssh.git
cd vault-ssh && vagrant up
vagrant ssh vault
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=s.WzCfvOHa0Dz1W11NkOHkFYLV
echo $VAULT_TOKEN | vault login -
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.WzCfvOHa0Dz1W11NkOHkFYLV
token_accessor qbWsjwwywUJU7Sw0CRoWHlSB
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
vault policy write admin /vagrant/admin.hcl 
Success! Uploaded policy: admin
vault auth enable oidc
export KC_DOMAIN=http://192.168.56.101:8080/realms/master
export KC_CLIENT_ID=vault
export KC_CLIENT_SECRET=3ce2a23d-681e-4804-affe-a4214195a4d2
vault write auth/oidc/config \
oidc_discovery_url="$KC_DOMAIN" \
oidc_client_id="$KC_CLIENT_ID" \
oidc_client_secret="$KC_CLIENT_SECRET" \
default_role="default"
export VAULT_UI=https://192.168.56.101:8200
export VAULT_CLI=https://127.0.0.1:8250
vault write auth/oidc/role/default \
allowed_redirect_uris="${VAULT_UI}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="${VAULT_CLI}/oidc/callback" \
user_claim="email" \
policies="admin"
Login to Vault using Keycloak

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store