Hey,
We are using vault (installed using helm within EKS cluster) with Azure-AD-OIDC (login with email)
Everything is working as expected, But we want to enable the Audit logs to check like who created the secret and who updated it?
We are using below helm values -
helm:
values: |
injector:
enabled: false
server:
extraSecretEnvironmentVars:
- envName: VAULT_PG_CONNECTION_URL
secretName: vault-pg-connection-url
secretKey: VAULT_PG_CONNECTION_URL
extraEnvironmentVars:
VAULT_SEAL_TYPE: awskms
VAULT_AWSKMS_SEAL_KEY_ID: "alias/vault"
VAULT_LOG_LEVEL: debug
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::*****:role/vault-auto-unseal-role"
meta.helm.sh/release-namespace: vault
meta.helm.sh/release-name: vault
labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault
affinity: ""
ha:
enabled: true
config: |
ui = true
cluster_name = "vault-cluster"
storage "postgresql" {
table="vault_kv_store",
ha_enabled=true,
ha_table="vault_ha_locks"
}
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_disable = "true"
}
service_registration "kubernetes" {}
log_level = "Debug"
seal "awskms" {
region = "us-east-1"
}
ui:
enabled: true
externalPort: 8200
Also we are using below OIDC -
vault auth enable oidc
vault write auth/oidc/config \
oidc_client_id="************" \
oidc_client_secret="************" \
default_role="azure-ad-role" \
oidc_discovery_url="https://login.microsoftonline.com/************/v2.0"
vault write auth/oidc/role/azure-ad-role \
user_claim="sub" \
allowed_redirect_uris="https://************/ui/vault/auth/oidc/oidc/callback" \
groups_claim="groups" \
oidc_scopes="https://graph.microsoft.com/.default profile" \
policies=default
vault write identity/group-alias \
name="************" \
mount_accessor="auth_oidc_***ec8" \
canonical_id="************"
Can someone suggest the best practices and how to achieve that ?
Also will there be any options where we can enable this audit in version history section somehow ?
