I am a big fan of containers, so we will use docker containers to setup vault.
- Create a volume to persist vault secrets
docker volume create vault_data2. Create vault config file using .hcl extension (eg. vault.hcl)
ui = truedisable_mlock = truelistener "tcp" {address = "0.0.0.0:8200"tls_disable = 1}storage "file" {path = "/vault/file"}
ui: boolean value. Setting this to true will enable vault ui.
disable_mlock: boolean value. Disables the server from executing the mlock syscall. mlock prevents memory from being swapped to disk.
tls_disable will disable the tls
I am using file storage and directory path is set.
For more vault configuration, refer here
3. Run the following command to create vault container.
docker run --name vault -d -p 8200:8200 --mount type=bind,source=vault.hcl,destination=/vault.hcl --mount type=volume,source=vault_data,destination=/vault/file vault.:1.9.2 vault server -config=/vault.hclHere, we are mounting vault.hcl (created in step2), vault_data volume (created in step 1) and exposing port 8200 for accessibility.
4. Next, we need to initialize the vault. Bash into the running vault container,
docker exec -it $(docker ps | grep vault | awk '{print $1}') sh5. Export the vault url and initialize
export VAULT_ADDR='http://127.0.0.1:8200'vault operator init
Note: Please don’t forget to copy the output. It’s basically the 5 unseal keys and root token. If you missed, even the Money Heist Professor can’t help.
6. Now, we need to unseal vault. To do so, either use vault cli or navigate to browser . I prefer ui (since I didn’t try CLI approach :P )
7. Paste any of the 3 unseal keys generated above, one by one and unseal. When you enter the 3rd key and click unseal, vault will be unsealed and you can start accessing it.
8. Now vault is accessible only through root token. To enable Google Oauth SSO, create Oauth credentials by following this link
Once created, download the json file. (client.json)
{"web": {"client_id": "123.apps.googleusercontent.com","project_id": "test-project","auth_uri": "https://accounts.google.com/o/oauth2/auth","token_uri": "https://oauth2.googleapis.com/token","auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs","client_secret": "1234","redirect_uris": ["http://localhost:8200/oidc/callback","http://localhost:8200/ui/vault/auth/oidc/oidc/callback"]}}
9. Go back to the terminal , bash into the vault container (step 4) (if already not bashed) and run the following commands.
10. Login to the vault
vault loginPaste the root token when prompted.
11. Once login successful, enable the OIDC authentication.
vault auth enable oidc12. Run the following command to configure OIDC authentication.
vault write auth/oidc/config \oidc_client_id="123.apps.googleusercontent.com" \oidc_client_secret="123" \default_role="default_role" \oidc_discovery_url="https://accounts.google.com"
Replace the oidc_client_id and oidc_client_secret with appropriate values. Here, we used default_role as default_role value.
13. Configure the role default_role for OIDC redirect urls and scopes.
vault write auth/oidc/role/default_role \
user_claim="email" allowed_redirect_uris="http://localhost:8200/oidc/callback,http://localhost:8200/ui/vault/auth/oidc/oidc/callback" \
groups_claim="" \
oidc_scopes="email,profile" \
policies=defaultNote: Make sure you are using the same role value that has been used in previous step
We are all set and Google SSO is integrated with Vault. To login using google sso, choose login method as OIDC and enter default_role role. This will enable the Login in with Google button.
Once logged in successfully, you should be able to access vault, create secrets and much more.
