OIDC With Vault
How to authenticate the env0 runner using Vault and OIDC
This guide is to help you connect to Vault with OIDC.
Overview
This guide will show you how to create a JWT Authentication Method, and how to configure env0 to utilize OIDC to authenticate to your vault cluster to retrieve secrets. Refer to env0's OIDC configuration.
We are going to follow the Vault documentation on how to create a JWT Authentication
JWT Authentication Method
- Login to your vault cluster
- In the top navigation bar click on
Access
- Choose
Auth Methods
in the left side menu - Click on the
Enable new method
button and it will open the Authentication method creation wizard - Choose
JWT
and click on the Next button - In the
Method Options
add a description and the relevant configuration and click on theEnabled Method
button - In the
Configure JWT
page under theJwks url
enterhttps://login.app.env0.com/.well-known/jwks.json
- Under
JWT Options
set theBound issuer
to behttps://login.app.env0.com/
- Click on the
Save
button

Configure JWT
Add Custom Claims
To add custom claims we will use the vault CLI. Make sure you have it installed on your machine and that you have access to the vault cluster. You will need to set the following environment variables:
VAULT_ROLE_NAME
VAULT_NAMESPACE
VAULT_ADDR
VAULT_TOKEN
- You can also use thevault login
command instead
Now let's execute the following command, and make sure you substitute Your_Vault_Role_Name
with the role name and Your env0 Organization Id
with your actual env0 organization Id.
vault write auth/jwt/role/Your_Vault_Role_Name - <<EOF
{
"user_claim": "sub",
"role_type": "jwt",
"bound_audiences": ["https://prod.env0.com"],
"bound_claims": {
"organizationId": "Your env0 Organization Id",
"apiKeyType": "oidc"
}
}
EOF
More Claims
In this example we only set the
aud
, theorganizationId
and theapiKeyType
claims, however you can also set any additinal claims you would like from the list of claims we support. The list is located here
Authenticating to Vault With Terraform
If you are using Vault provider to retrieve your secrets you can specify it using Terraform
provider "vault" {
address = "https://vault.example.net:8200"
auth_login_jwt {
namespace = "namespace"
role = "my_role"
}
}
You will also need to set the TERRAFORM_VAULT_AUTH_JWT
as an environment variable to your environment and set the value to be $ENV0_OIDC_TOKEN
. We will do so by adding the following command in your env0.yml
file:
version: 2
deploy:
steps:
setupVariables:
before:
- name: Set OIDC Token For Vault
run: echo TERRAFORM_VAULT_AUTH_JWT=$ENV0_OIDC_TOKEN >> $ENV0_ENV
Authenticating to Vault Using Vault CLI
This will require you to install the Vault CLI during the deployment and then use the CLI to get a token for your Vault cluster. Here is an example env0.yml
that will install Vault CLI and get a new Vault token using the JWT token. This requires 3 environment variables, VAULT_VERSION
to specify the version of the CLI, VAULT_ROLE_NAME
to specify the role name you would like to login to, and VAULT_ADDR
to specify the Vault Cluster URL:
version: 2
deploy:
steps:
setupVariables:
before:
- name: Get Vault Token Using CLI
run: |
curl https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip --output vault.zip
unzip vault.zip
./vault write auth/jwt/login role="${VAULT_ROLE_NAME}" jwt="${ENV0_OIDC_TOKEN}
Updated 2 months ago