Настройка авторизации в vault через Gitlab¶
На стороне Gitlab¶
Get the OIDC client ID and secret from gitlab
Переходим в Admin Area - Applications - Create new application:
- Applications(https://gitlab.
/admin/applications) - New application
- Name = vault
- Scopes - openid = check
- Redirect Url =
http://localhost:8250/iodc/callback
https://vault.
/ui/vault/auth/oidc-gitlab/oidc/callback
- Save application.
- Копируем значения your_application_id и your_secret
На стороне Vault:¶
- Включим OIDC:
vault auth enable oidc
если нужно включить несколько oidc то нужно задавать -path:
vault auth enable -path=oidc-gitlab oidc
Вы увидите: Success! Enabled oidc auth method at: oidc/
- Создаем админскую политику
admin-policy
в веб интерфейсе vault: Policies - ACL policies
admin-policy.json
# Read system health check
path "sys/health"
{
capabilities = ["read", "sudo"]
}
# Create and manage ACL policies broadly across Vault
# List existing policies
path "sys/policies/acl"
{
capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Enable and manage authentication methods broadly across Vault
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# Enable and manage the key/value secrets engine at `secret/` path
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read"]
}
- создаем конфигурацию под подключению к identity provider gitlab
default_role : admin-role
vault write auth/oidc-gitlab/config \
oidc_discovery_url="https://gitlab.<domain>" \
oidc_client_id="your_application_id" \
oidc_client_secret="your_secret" \
default_role="..." \
bound_issuer="https://gitlab.<domain>"
для дополнительного oidc:
vault write auth/oidc-gitlab/config ...4. Конфигурируем роль
user_claim : можно задать email, чтобы быстро идентифицировать в интерфейсе vault сессии пользователей, но нужно добавить email, profile в vault Application in gitlab
yourGroup/yourSubgroup : берем из gitlab в нижнем регистре
admin-role
admin-policy
truedev
vault write auth/oidc-gitlab/role/<user-role> -<<EOF
{
"user_claim": "sub",
"allowed_redirect_uris": "https://vault.<domain>/ui/vault/auth/oidc-gitlab/oidc/callback,http://localhost:8250/oidc/callback",
"bound_audiences": "<your_application_id>",
"oidc_scopes": "openid",
"role_type": "oidc",
"token_policies": "<user-policy>",
"ttl": "1h",
"bound_claims": { "groups": ["<yourGroup/yourSubgroup>", ... ] }
}
EOF
для дополнительного oidc:
Вход в vault через браузер¶
Открываем https://vault.
если настроили дополнительный oidc то нужно указать в mount path: oidc-gitlabs
Далее редиректит на gitlab - Нажимаем Authorize:
Логин через консоль запускается так¶
vault login -method=oidc role=<user-role>
если подключали доп oidc указать path
vault login -path=oidc-gitlab -method=oidc role=admin-role