depot/ops/vault/cfg/authbackend-oidc.nix

43 lines
1.2 KiB
Nix
Raw Normal View History

2022-03-14 23:34:33 +00:00
{ ... }:
{
resource.vault_jwt_auth_backend.oidc = {
default_role = "user";
namespace_in_state = true;
oidc_discovery_url = "https://accounts.google.com";
oidc_client_id = "620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com";
oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"oidcAuthToken\"]}";
2022-03-14 23:34:33 +00:00
};
my.authBackend.oidc = {
resourceType = "vault_jwt_auth_backend";
tune.default_lease_ttl = "24h";
tune.max_lease_ttl = "24h";
};
2022-05-21 14:42:55 +00:00
resource.vault_jwt_auth_backend_role = let
baseRole = {
backend = "\${resource.vault_jwt_auth_backend.oidc.path}";
role_type = "oidc";
bound_audiences = ["620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com"];
user_claim = "sub";
allowed_redirect_uris = [
"http://localhost:8250/oidc/callback"
"https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/oidc/callback"
"https://vault.int.lukegb.com/ui/vault/auth/oidc/oidc/callback"
];
};
in {
oidc_user = baseRole // {
role_name = "user";
token_policies = ["base" "user"];
};
oidc_admin = baseRole // {
role_name = "admin";
token_policies = ["base" "admin"];
};
};
2022-03-14 23:34:33 +00:00
}