How can I use AD saml for auth into kibana from terraform

zubair.bhamjee · April 15, 2024, 8:25am

HI All

We have a logging stack that makes use of Amazon Opensearch in AWS. We have recently been tasked with moving the Opensearch service to a new vpc which requires a whole new cluster being setup. We are moving away from using Amazon cognito as a means of authenticating users into opensearch kibana. We are moving towards using azure AD saml.

We have to this point replaced the cognito config we have in terraform with the AD saml config we required on a parallel cluster . The domain gets created successfully but we have no idea how to use azure AD saml to auth into kibana from terraform to setup various roles and policies for our users, we previously used cognito to assume a role that had admin access in kibana.

we have setup the domain saml options as below and that works:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain_saml_options

Any advice to achieving this would be highly appreciated.

jonathanfrappier · April 15, 2024, 12:29pm

Hi @zubair.bhamjee ,

I want to make sure I am breaking down your question correctly. Is the problem you are having about how to make Terraform authenticate using SAML using Azure AD/EntraID?

Are you able to authenticate with Kibana using SAML without Terraform (e.g. login as a regular user)?

zubair.bhamjee · April 15, 2024, 12:57pm

HI Jonathan

Yes, your understanding is correct.
We spun up the new cluster in AWS.
We created the enterprise application in azure portal, added the saml config and meta data file to the cluster security settings.
We can login to Kibana without using terraform using the admin users we setup on the cluster.

Regards
Zubair

jonathanfrappier · April 15, 2024, 3:19pm

Thanks for the response and helping me understand what’s happening. Apologies for asking a lot of questions but I obviously lack context to your set up.

When you were using Cognito, did Terraform connect to Kibana using a Cognito user? A static user? Or API key? Looking over the provider info, it seems like static users and API keys are the supported ways to authenticate (but it has been several years since I used ELK):

https://registry.terraform.io/providers/elastic/elasticstack/latest/docs

The link you provided in the original message appears to be HOW to configure SAML, which sounds like it worked since you can log into Kibana using your EntraID users.

Apologies if I am not connecting all the pieces properly.

zubair.bhamjee · April 16, 2024, 8:37am

it used a cognito user that assumed a admin backend role that was used to setup the required policies and roles within kibana. It was easy enough to integrate this way as cognito was already an AWS service.

Thanks for the info on the providers, ill have a look into that to try and get my timeout issues on terraform resloved

regards

Topic		Replies	Views
AAD SSO Enterprise azuread provider Azure azure	4	1985	February 11, 2021
SSO Authentication from terraform cloud to aws HCP Terraform connect , hcp-terraform	2	329	February 19, 2023
How to authenticate to AWS using SSO Terraform Providers	1	687	April 19, 2021
Using Terraform with AWS SSO Terraform	4	2789	January 9, 2023
Azuread provider SAML Signing Certificate support Azure	4	1241	September 10, 2024

How can I use AD saml for auth into kibana from terraform

Related topics