Oidc
Manages OIDC Providers in a Vault server. See the Vault documentation for more information.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const test = new vault.identity.OidcKey("test", {
name: "my-key",
allowedClientIds: ["*"],
rotationPeriod: 3600,
verificationTtl: 3600,
});
const testOidcAssignment = new vault.identity.OidcAssignment("test", {
name: "my-assignment",
entityIds: ["fake-ascbascas-2231a-sdfaa"],
groupIds: ["fake-sajkdsad-32414-sfsada"],
});
const testOidcClient = new vault.identity.OidcClient("test", {
name: "application",
key: test.name,
redirectUris: [
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback",
],
assignments: [testOidcAssignment.name],
idTokenTtl: 2400,
accessTokenTtl: 7200,
});
const testOidcScope = new vault.identity.OidcScope("test", {
name: "groups",
template: JSON.stringify({
groups: "{{identity.entity.groups.names}}",
}),
description: "Groups scope.",
});
const testOidcProvider = new vault.identity.OidcProvider("test", {
name: "my-provider",
httpsEnabled: false,
issuerHost: "127.0.0.1:8200",
allowedClientIds: [testOidcClient.clientId],
scopesSupporteds: [testOidcScope.name],
});Content copied to clipboard
import pulumi
import json
import pulumi_vault as vault
test = vault.identity.OidcKey("test",
name="my-key",
allowed_client_ids=["*"],
rotation_period=3600,
verification_ttl=3600)
test_oidc_assignment = vault.identity.OidcAssignment("test",
name="my-assignment",
entity_ids=["fake-ascbascas-2231a-sdfaa"],
group_ids=["fake-sajkdsad-32414-sfsada"])
test_oidc_client = vault.identity.OidcClient("test",
name="application",
key=test.name,
redirect_uris=[
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback",
],
assignments=[test_oidc_assignment.name],
id_token_ttl=2400,
access_token_ttl=7200)
test_oidc_scope = vault.identity.OidcScope("test",
name="groups",
template=json.dumps({
"groups": "{{identity.entity.groups.names}}",
}),
description="Groups scope.")
test_oidc_provider = vault.identity.OidcProvider("test",
name="my-provider",
https_enabled=False,
issuer_host="127.0.0.1:8200",
allowed_client_ids=[test_oidc_client.client_id],
scopes_supporteds=[test_oidc_scope.name])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var test = new Vault.Identity.OidcKey("test", new()
{
Name = "my-key",
AllowedClientIds = new[]
{
"*",
},
RotationPeriod = 3600,
VerificationTtl = 3600,
});
var testOidcAssignment = new Vault.Identity.OidcAssignment("test", new()
{
Name = "my-assignment",
EntityIds = new[]
{
"fake-ascbascas-2231a-sdfaa",
},
GroupIds = new[]
{
"fake-sajkdsad-32414-sfsada",
},
});
var testOidcClient = new Vault.Identity.OidcClient("test", new()
{
Name = "application",
Key = test.Name,
RedirectUris = new[]
{
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback",
},
Assignments = new[]
{
testOidcAssignment.Name,
},
IdTokenTtl = 2400,
AccessTokenTtl = 7200,
});
var testOidcScope = new Vault.Identity.OidcScope("test", new()
{
Name = "groups",
Template = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["groups"] = "{{identity.entity.groups.names}}",
}),
Description = "Groups scope.",
});
var testOidcProvider = new Vault.Identity.OidcProvider("test", new()
{
Name = "my-provider",
HttpsEnabled = false,
IssuerHost = "127.0.0.1:8200",
AllowedClientIds = new[]
{
testOidcClient.ClientId,
},
ScopesSupporteds = new[]
{
testOidcScope.Name,
},
});
});Content copied to clipboard
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/identity"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
test, err := identity.NewOidcKey(ctx, "test", &identity.OidcKeyArgs{
Name: pulumi.String("my-key"),
AllowedClientIds: pulumi.StringArray{
pulumi.String("*"),
},
RotationPeriod: pulumi.Int(3600),
VerificationTtl: pulumi.Int(3600),
})
if err != nil {
return err
}
testOidcAssignment, err := identity.NewOidcAssignment(ctx, "test", &identity.OidcAssignmentArgs{
Name: pulumi.String("my-assignment"),
EntityIds: pulumi.StringArray{
pulumi.String("fake-ascbascas-2231a-sdfaa"),
},
GroupIds: pulumi.StringArray{
pulumi.String("fake-sajkdsad-32414-sfsada"),
},
})
if err != nil {
return err
}
testOidcClient, err := identity.NewOidcClient(ctx, "test", &identity.OidcClientArgs{
Name: pulumi.String("application"),
Key: test.Name,
RedirectUris: pulumi.StringArray{
pulumi.String("http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback"),
pulumi.String("http://127.0.0.1:8251/callback"),
pulumi.String("http://127.0.0.1:8080/callback"),
},
Assignments: pulumi.StringArray{
testOidcAssignment.Name,
},
IdTokenTtl: pulumi.Int(2400),
AccessTokenTtl: pulumi.Int(7200),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"groups": "{{identity.entity.groups.names}}",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
testOidcScope, err := identity.NewOidcScope(ctx, "test", &identity.OidcScopeArgs{
Name: pulumi.String("groups"),
Template: pulumi.String(json0),
Description: pulumi.String("Groups scope."),
})
if err != nil {
return err
}
_, err = identity.NewOidcProvider(ctx, "test", &identity.OidcProviderArgs{
Name: pulumi.String("my-provider"),
HttpsEnabled: pulumi.Bool(false),
IssuerHost: pulumi.String("127.0.0.1:8200"),
AllowedClientIds: pulumi.StringArray{
testOidcClient.ClientId,
},
ScopesSupporteds: pulumi.StringArray{
testOidcScope.Name,
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.identity.OidcKey;
import com.pulumi.vault.identity.OidcKeyArgs;
import com.pulumi.vault.identity.OidcAssignment;
import com.pulumi.vault.identity.OidcAssignmentArgs;
import com.pulumi.vault.identity.OidcClient;
import com.pulumi.vault.identity.OidcClientArgs;
import com.pulumi.vault.identity.OidcScope;
import com.pulumi.vault.identity.OidcScopeArgs;
import com.pulumi.vault.identity.OidcProvider;
import com.pulumi.vault.identity.OidcProviderArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new OidcKey("test", OidcKeyArgs.builder()
.name("my-key")
.allowedClientIds("*")
.rotationPeriod(3600)
.verificationTtl(3600)
.build());
var testOidcAssignment = new OidcAssignment("testOidcAssignment", OidcAssignmentArgs.builder()
.name("my-assignment")
.entityIds("fake-ascbascas-2231a-sdfaa")
.groupIds("fake-sajkdsad-32414-sfsada")
.build());
var testOidcClient = new OidcClient("testOidcClient", OidcClientArgs.builder()
.name("application")
.key(test.name())
.redirectUris(
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback")
.assignments(testOidcAssignment.name())
.idTokenTtl(2400)
.accessTokenTtl(7200)
.build());
var testOidcScope = new OidcScope("testOidcScope", OidcScopeArgs.builder()
.name("groups")
.template(serializeJson(
jsonObject(
jsonProperty("groups", "{{identity.entity.groups.names}}")
)))
.description("Groups scope.")
.build());
var testOidcProvider = new OidcProvider("testOidcProvider", OidcProviderArgs.builder()
.name("my-provider")
.httpsEnabled(false)
.issuerHost("127.0.0.1:8200")
.allowedClientIds(testOidcClient.clientId())
.scopesSupporteds(testOidcScope.name())
.build());
}
}Content copied to clipboard
resources:
test:
type: vault:identity:OidcKey
properties:
name: my-key
allowedClientIds:
- '*'
rotationPeriod: 3600
verificationTtl: 3600
testOidcAssignment:
type: vault:identity:OidcAssignment
name: test
properties:
name: my-assignment
entityIds:
- fake-ascbascas-2231a-sdfaa
groupIds:
- fake-sajkdsad-32414-sfsada
testOidcClient:
type: vault:identity:OidcClient
name: test
properties:
name: application
key: ${test.name}
redirectUris:
- http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback
- http://127.0.0.1:8251/callback
- http://127.0.0.1:8080/callback
assignments:
- ${testOidcAssignment.name}
idTokenTtl: 2400
accessTokenTtl: 7200
testOidcScope:
type: vault:identity:OidcScope
name: test
properties:
name: groups
template:
fn::toJSON:
groups: '{{identity.entity.groups.names}}'
description: Groups scope.
testOidcProvider:
type: vault:identity:OidcProvider
name: test
properties:
name: my-provider
httpsEnabled: false
issuerHost: 127.0.0.1:8200
allowedClientIds:
- ${testOidcClient.clientId}
scopesSupporteds:
- ${testOidcScope.name}Content copied to clipboard
Import
OIDC Providers can be imported using the name, e.g.
$ pulumi import vault:identity/oidcProvider:OidcProvider test my-providerContent copied to clipboard
Properties
Link copied to clipboard
The client IDs that are permitted to use the provider. If empty, no clients are allowed. If *, all clients are allowed.
Link copied to clipboard
Set to true if the issuer endpoint uses HTTPS.
Link copied to clipboard
The host for the issuer. Can be either host or host:port.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The scopes available for requesting on the provider.