hashivault_oidc_auth_role – Hashicorp Vault OIDC secret engine role

New in version 4.1.1.

Synopsis

  • Module to define an OIDC role that vault can generate dynamic credentials for vault

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
allowed_redirect_uris
-
The list of allowed values for redirect_uri during OIDC logins.
When using nested namespaces, use url encoding '%2F' instead of '/'
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
bound_audiences
-
List of `aud` claims to match against. Any match is sufficient.
bound_claims
-
If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.
bound_subject
-
If set, requires that the sub claim matches this value.
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
claim_mappings
-
If set, a map of claims (keys) to be copied to specified metadata fields (values).
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
groups_claim
-
The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
mount_point
-
Default:
"oidc"
name of the secret engine mount name.
name
-
name of the role in vault
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
oidc_scopes
-
If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
token_bound_cidrs
-
List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
token_explicit_max_ttl
-
If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.
token_max_ttl
-
The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.
token_no_default_policy
-
If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
token_num_uses
-
The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
token_period
-
If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this parameter.
token_policies
-
List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
token_ttl
-
The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.
token_type
-
The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities (default-service and default-batch) which specify the type to return unless the client requests a different type at generation time.
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
user_claim
-
Default:
"sub"
The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string.
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
    - hashivault_oidc_auth_role:
        name: "gmail"
        bound_audiences: ["123-456.apps.googleusercontent.com"]
        allowed_redirect_uris: ["https://vault.com:8200/ui/vault/auth/oidc/oidc/callback"]
        token_policies: ["test"]

- hosts: localhost
  tasks:
    - hashivault_oidc_auth_role:
        name: nested_ns_role
        bound_audiences: ["123-456.apps.googleusercontent.com"]
        allowed_redirect_uris: ["https://vault.com:8200/ui/oidc/oidc/callback?namespace=namespaceone%2Fnamespacetwo"]
        token_policies: ["test"]

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.