Keycloak Client Role mapping with Vault

Getting advice
1

I am trying to integrate Keycloak with Vault. I have 2 Vault policies (Admin, Dev). I want to use a path ‘keycloak’, and have done $ vault auth enable -path=keycloak oidc .

The problem I want to solve, is to map Vault Policy with the Keycloak Client Role.

$ vault write auth/keycloak/config \
  oidc_discovery_url="https://$KEYCLOAK_ADDRESS/auth/realms/master" \
  oidc_client_id="vault" \
  oidc_client_secret=${CLIENT_SECRET} \
  default_role="admin" type="oidc"

$ vault write auth/keycloak/role/admin \
    bound_audiences="vault" \
    allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="https://localhost:8250/oidc/callback" \
    user_claim="sub" \
    policies="admin" \
    ttl=4h \
    role_type="oidc" \
    oidc_scopes="openid"

$ vault write auth/keycloak/role/dev \
    bound_audiences="vault" \
    allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="https://localhost:8250/oidc/callback" \
    user_claim="sub" \
    policies="dev" \
    ttl=4h \
    role_type="oidc" \
    oidc_scopes="openid"

I want admin and dev roles in Vault bound to “vault” client in Keycloak. However, according to the group that the user is bounded to, I want the user to have different policy. (Both login via console with vault login -method=oidc keycloak )

Have any ideas? The solution I have in mind is to make 2 different client. However, I want only 1 client ‘vault’. Can this be achieved?

2

I’ll add a note here for others searching that this question is about using HashiCorp Vault (https://vaultproject.io) with Keycloak.

3

I am looking for this as well.

I think what you are missing is a procedure described here: https://github.com/hashicorp/vault/issues/6494

but you might got it by now…

i think you have to create an external identity group and a group alias that is matching - i assume (i am battling here atm…) - matching to the role that is assigned in keycloak. you do no longer have to specify the policy in the vault role itself but in the implicit lookup that fetches the roles from keycloak that match it locally on vault. if i’m correct.

obviously i am not able to explain it so well, i hope i get i working, will try to remember to post it here :slight_smile:
but hope even after the 27d days this was still of some help…

my issue though,

i did setup a Client mapper for the vault client, which is called groups that maps to the roles.

I assume it would show me the possible client role membership.

I am now able to see in the vault logs that it is collecting the group memberships as a list. the problem is that it does not show up the roles that are configured on the vault client level, it only shows the roles from the Realm.

4

removing the policy on the vault role, and adding
`groups_claim=‘groups’

setup the role mapper in keycloak to “groups”

vault write identity/group name='test-group' \
        policies='test-policy' \
        type='external'

vault write identity/group-alias name='{a value from groups_claim}' \
        mount_accessor=auth_oidc_xxxx \
        canonical_id='{id from group creation}'