I am trying to integrate Keycloak with Vault. I have 2 Vault policies (Admin, Dev). I want to use a path ‘keycloak’, and have done $ vault auth enable -path=keycloak oidc
.
The problem I want to solve, is to map Vault Policy with the Keycloak Client Role.
$ vault write auth/keycloak/config \
oidc_discovery_url="https://$KEYCLOAK_ADDRESS/auth/realms/master" \
oidc_client_id="vault" \
oidc_client_secret=${CLIENT_SECRET} \
default_role="admin" type="oidc"
$ vault write auth/keycloak/role/admin \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="admin" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid"
$ vault write auth/keycloak/role/dev \
bound_audiences="vault" \
allowed_redirect_uris="https://$VAULT_ADDRESS/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="https://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="dev" \
ttl=4h \
role_type="oidc" \
oidc_scopes="openid"
I want admin and dev roles in Vault bound to “vault” client in Keycloak. However, according to the group that the user is bounded to, I want the user to have different policy. (Both login via console with vault login -method=oidc keycloak
)
Have any ideas? The solution I have in mind is to make 2 different client. However, I want only 1 client ‘vault’. Can this be achieved?