hashivault_oidc_auth_method_config – Hashicorp Vault OIDC auth method config

New in version 4.1.1.

Synopsis

• Module to configure an OIDC auth mount

Requirements

The below requirements are needed on the host that executes this module.

• hvac>=0.10.1

• ansible>=2.0.0

• requests

Parameters

Parameter	Choices/Defaults	Comments
authtype -	Choices: token userpass github ldap approle Default: "token or environment variable `VAULT_AUTHTYPE`"	authentication type
aws_header -	Default: "to environment variable `VAULT_AWS_HEADER`"	X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
bound_issuer -		The value against which to match the iss claim in a JWT.
ca_cert -	Default: "to environment variable `VAULT_CACERT`"	Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path -	Default: "to environment variable `VAULT_CAPATH`"	Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert -	Default: "to environment variable `VAULT_CLIENT_CERT`"	Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key -	Default: "to environment variable `VAULT_CLIENT_KEY`"	Path to an unencrypted PEM-encoded private key matching the client certificate
default_role -		The default role to use if none is provided during login.
jwks_ca_pem -		The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url -		JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwt_supported_algs -	Default: "RS256"	A list of supported signing algorithms.
jwt_validation_pubkeys -		A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
login_mount_point -	Default: "value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"	authentication mount point
mount_point -	Default: "oidc"	name of the secret engine mount name.
namespace -	Default: "to environment variable VAULT_NAMESPACE"	namespace for vault
oidc_client_id -		The OAuth Client ID from the provider for OIDC roles.
oidc_client_secret -		The OAuth Client Secret from the provider for OIDC roles.
oidc_discovery_ca_pem -		The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
oidc_discovery_url -		The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
password -	Default: "to environment variable `VAULT_PASSWORD`"	password to login to vault.
token -	Default: "to environment variable `VAULT_TOKEN`"	token for vault
url -	Default: "to environment variable `VAULT_ADDR`"	url for vault
username -	Default: "to environment variable `VAULT_USER`"	username to login to vault.
verify -	Default: "to environment variable `VAULT_SKIP_VERIFY`"	If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
    - hashivault_oidc_auth_method_config:
        oidc_discovery_url: "https://accounts.google.com"
        oidc_client_id: "123456"
        oidc_client_secret: "123456"
        default_role: "gmail"

Status

• This module is guaranteed to have backward compatible interface changes going forward. [stableinterface]

• This module is maintained by the Ansible Community. [community]

Authors

• UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.