| title | description |
|---|---|
Hashicorp Vault Authentication - OIDC Provider for Azure AD / Entra |
Integrate HashiCorp Vault OIDC Authentication with Third Party Azure AD / Entra IDP |
Based on the tutorial for HashiCorp Vault OIDC Provider Authentication Method for Azure AD (Entra), this is the High Level Overview workflow:
This Repo codifies some highlighted Azure and HashiCorp Vault resources (not comprehensive):
- Provider: hashicorp/azuread
azuread_applicationazuread_group
- Provider: hashicorp/vault
vault_jwt_auth_backendvault_jwt_auth_backend_rolevault_policyvault_identity_groupvault_identity_group_aliasvault_kv_secret_v2secret/app1(vault kv metadata get -mount=secret app1)secret/app2(vault kv metadata get -mount=secret app2)
Place your user into the appropriate Azure AD / Entra Group(s) to apply the correct Group Policies.
| AZURE GROUP | VAULT GROUP | VAULT SECRETS PATH | VAULT POLICY |
|---|---|---|---|
| {{user}}-demo-oidc-group-example | vault_identity_group.oidc_provider_azure_group_example | ||
| {{user}}-demo-oidc-group-app1 | vault_identity_group.oidc_provider_azure_group_app1 | secrets/app1 | app1_owner_policy.tpl |
| {{user}}-demo-oidc-group-app2 | vault_identity_group.oidc_provider_azure_group_app2 | secrets/app2 | app2_owner_policy.tpl |
| {{user}}-demo-oidc-group-admin | vault_identity_group.oidc_provider_azure_group_admin | secrets/* | vault_admin_owner_policy.tpl |
| {{user}}-demo-oidc-group-super-admin | vault_identity_group.oidc_provider_azure_group_super_admin | secrets/* | vault_super_admin_policy.tpl |
- Set Azure and HashiCorp Vault logins and addresses - can be set via Environment Variables and/or
azCLI - Go to ./terraform directory, execute
terraform initandterraform apply - Place your user into the appropriate Azure AD / Entra Group(s) to apply the correct Group Policies.
- Log in to Vault UI via
OIDCAuthentication and set theMore Options=>Mount Pathto your TF Variable value forvar.vault_auth_mount_path(default:oidc-azure) - Verify ability to read secrets at
secret/app1orsecret/app2KVv2 Secrets paths. - Log out
- Repeat with other Azure AD / Entra Group(s)
- Log back in
Repo Layout
.
├── LICENSE
├── Makefile
├── README.md
├── assets
│ ├── convergence-scenarios-webapp-webapi.svg
│ ├── convergence-scenarios-webapp.svg
│ └── vault.auth-oidc-azure.01.png
└── terraform
├── 00.variables.tf
├── 00.versions.tf
├── 01-01.azuread_application.tf
├── 01-02.azuread.groups.tf
├── 02-01.vault.oidc_provider.tf
├── 02-02.vault.policies.tf
├── 02-03.vault.aliases_groups.tf
├── 02-04.vault.secrets.tf
├── 99.outputs.tf
├── templates
│ ├── app1_owner_policy.tpl
│ ├── app1_reader_policy.tpl
│ ├── app2_owner_policy.tpl
│ ├── app2_reader_policy.tpl
│ ├── vault_admin_policy.tpl
│ └── vault_super_admin_policy.tpl
├── terraform.auto.tfvars
├── terraform.tfstate
└── terraform.tfstate.backup
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| azuread | >= 2.47.0 |
| azurerm | >= 3.97.1 |
| vault | >= 4.1.0 |
| Name | Version |
|---|---|
| azuread | 2.47.0 |
| random | 3.6.0 |
| vault | 4.1.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| azure_tenant_id | Azure Tenant ID | string |
"" |
yes |
| user | Demo User | string |
"user" |
no |
| vault_auth_mount_path | Vault Authentication Mount Path | string |
"oidc-azure" |
yes |
| vault_cli_port | Vault CLI Port | string |
"8250" |
no |
| vault_port | Vault Port | string |
"8200" |
no |
| vault_root_token | Vault Root Token | string |
"" |
yes |
| vault_url | Vault URL | string |
"http://localhost:8200" |
yes |
| Name | Description |
|---|---|
| azuread_application_client_id | oidc_client_id |
| azuread_application_id | oidc_client_id |
| azuread_application_object_id | n/a |
| azuread_application_oidc_metadata_document | oidc_discovery_url |
| azuread_application_password | oidc_client_secret |
| azuread_application_password_id | n/a |
| azuread_application_password_key_id | n/a |
| azuread_group_id | n/a |
| azuread_group_object_id | n/a |
| azuread_group_owner | n/a |
| oidc_client_id | oidc_client_id |
| oidc_client_secret | oidc_client_secret |
| oidc_discovery_url | oidc_discovery_url |
- https://registry.terraform.io/providers/hashicorp/azuread
- https://registry.terraform.io/providers/hashicorp/azurerm
- https://registry.terraform.io/providers/hashicorp/vault
- https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/azuread
- https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris
- https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth-azure
- https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively
- https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
- https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc
- https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications
- https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-permissions-differences#userread
- https://solideogloria.tech/terraform/grant-admin-consent-for-an-azure-ad-application-with-terraform/
- https://www.youtube.com/watch?v=6Kl7rR0husk
- https://itinsights.org/HashiCorp-Vault-Authenticate-and-authorize-AzureAD-Users/
- https://registry.terraform.io/modules/devops-rob/app-vault/azuread/latest
- https://www.hashicorp.com/blog/integrating-azure-ad-identity-hashicorp-vault-part-1-application-auth-oidc
- https://www.hashicorp.com/blog/integrating-azure-ad-identity-with-hashicorp-vault-part-2-vault-oidc-auth-method
- https://www.hashicorp.com/blog/integrating-azure-ad-identity-vault-part-3-azure-managed-identity-via-azure-auth-method