This module creates Vault JWT Auth Backend, which allows you to log in to Vault
using well-known services you already use.
For instance, you may configure this module to let you in to vault after
authorizing via GitLab or Google account.
| Name |
Version |
| vault |
>= 2.0, < 3.0 |
No modules.
| Name |
Description |
Type |
Default |
Required |
| client_id |
OpenID client identifier. It should be generated on target service. |
string |
n/a |
yes |
| client_secret |
OpenID client secret. It should be generated on target service. |
string |
n/a |
yes |
| default_token_policies |
Default policy for everyone that's authorized using this method. I.e. this policies may allow access to cubbyhole and utilities. |
list(string) |
n/a |
yes |
| default_ttl |
Default Time-To-Live (in seconds) for Vault tokens generated by this method. It should be set to a time comfortable for all users, yet still short enough to be safe in case of breach. It may be shorter than max_lease_ttl, as lease can be renewed. |
number |
43200 |
no |
| description |
Description of this auth method. You should write something that provides more than just a name here. |
string |
"OpenID Connect auth method." |
no |
| domain |
Domain used to authenticate (i.e. gitlab.com) |
string |
n/a |
yes |
| max_ttl |
Maximum Time-To-Live (in seconds) for Vault tokens generated by this method. It should be set to a time comfortable for all users, yet still short enough to be safe in case of breach. After this time passes, user needs to authenticate again. |
number |
43200 |
no |
| path |
Path to place this auth method. It can be just 'gitlab' for GitLab. |
string |
"oidc" |
no |
| role_name |
Role name for this OIDC Auth |
string |
n/a |
yes |
| scopes |
This is a list of scopes/permissions you will be asked to provide during login via target service. |
list(string) |
[
"profile",
"email"
] |
no |
| vault_domains |
Domain(s) of your Vault installation. This is used to redirect you back to Vault from external service after authentication. |
list(string) |
n/a |
yes |