OIDC With Vault
How to authenticate the env0 runner using Vault and OIDC
This guide is to help you connect to Vault with OIDC.
Overview
This guide will show you how to create a JWT Authentication Method, and how to configure env0 to utilize OIDC to authenticate to your vault cluster to retrieve secrets. Refer to env0's OIDC configuration.
We are going to follow the Vault documentation on how to create a JWT Authentication
JWT Authentication Method
- Login to your vault cluster
- In the top navigation bar click on
Access - Choose
Auth Methodsin the left side menu - Click on the
Enable new methodbutton and it will open the Authentication method creation wizard - Choose
JWTand click on the Next button - In the
Method Optionsadd a description and the relevant configuration and click on theEnabled Methodbutton - In the
Configure JWTpage under theJwks urlenterhttps://login.app.env0.com/.well-known/jwks.json - Under
JWT Optionsset theBound issuerto behttps://login.app.env0.com/ - Click on the
Savebutton
Configure JWT
Add Custom Claims
To add custom claims we will use the vault CLI. Make sure you have it installed on your machine and that you have access to the vault cluster. You will need to set the following environment variables:
VAULT_ROLE_NAMEVAULT_NAMESPACEVAULT_ADDRVAULT_TOKEN- You can also use thevault logincommand instead
Now let's execute the following command, and make sure you substitute Your_Vault_Role_Name with the role name and Your env0 Organization Id with your actual env0 organization Id.
vault write auth/jwt/role/Your_Vault_Role_Name - <<EOF
{
"user_claim": "sub",
"role_type": "jwt",
"bound_audiences": ["https://prod.env0.com"],
"bound_claims": {
"organizationId": "Your env0 Organization Id",
"apiKeyType": "oidc"
}
}
EOF
More Claims
In this example we only set the
aud, theorganizationIdand theapiKeyTypeclaims, however you can also set any additinal claims you would like from the list of claims we support. The list is located here
Authenticating to Vault With Env0 Credential
Go to the organization's credentials page and create a new deployment credential. Select Vault OIDC type and enter the following fields:
Address- The vault address, including portVersion- The vault version to useRole Name- Vault role nameJWT Auth Backend Path- Path to the new authentication methodNamespace- Optional, the vault namespace
After creating the credential you will need to go to the relevant project and assign that credential to the project in the project's credentials page
Authenticating to Vault With Terraform
If you are using Vault provider to retrieve your secrets you can specify it using Terraform
provider "vault" {
address = "https://vault.example.net:8200"
auth_login_jwt {
namespace = "namespace"
role = "my_role"
}
}
You will also need to set the TERRAFORM_VAULT_AUTH_JWT as an environment variable to your environment and set the value to be $ENV0_OIDC_TOKEN. We will do so by adding the following command in your env0.yml file:
version: 2
deploy:
steps:
setupVariables:
after:
- name: Set OIDC Token For Vault
run: echo TERRAFORM_VAULT_AUTH_JWT=$ENV0_OIDC_TOKEN >> $ENV0_ENV
Authenticating to Vault Using Vault CLI
This will require you to install the Vault CLI during the deployment and then use the CLI to get a token for your Vault cluster. Here is an example env0.yml that will install Vault CLI and get a new Vault token using the JWT token. This requires 3 environment variables, VAULT_VERSION to specify the version of the CLI, VAULT_ROLE_NAME to specify the role name you would like to login to, and VAULT_ADDR to specify the Vault Cluster URL:
version: 2
deploy:
steps:
setupVariables:
after:
- name: Get Vault Token Using CLI
run: |
curl https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip --output vault.zip
unzip vault.zip
./vault write auth/jwt/login role="${VAULT_ROLE_NAME}" jwt="${ENV0_OIDC_TOKEN}"
Updated 10 days ago