Dear Vault community,
I am trying to integrate our vault test environment with a test keycloak installation. My goal is to authenticate to vault using a keycloak jwt token. I am not an expert on jwt authentication in general hence I may have had things mixed…
Steps to setup the environment below:
Create keycloak client
Enable jwt authentication in vault
vault auth enable -path=kc jwt
Setup the jwt auth method
vault write auth/kc/config \
oidc_discovery_url="https://auth-tds.mydomain.local/auth/realms/xxx" \
oidc_client_id="poc_auth" \
oidc_client_secret="mysecret" \
default_role="test"
Authenticate to keycloak to get token. Inspect the token for the sub, aud fields
Setup vault role
vault write auth/kc/role/test \
role_type=jwt \
bound_subject="97516847-fd75-4220-9d9c-0da0707f2200" \
bound_audiences="account" \
user_claim="aud" \
policies="my-test-policy" \
ttl=1h
Authenticate against vault using the keycloak jwt token generated in the previous step
vault write auth/kc/login role=test jwt=...
This last step gives me the following output:
Error writing data to auth/kc/login: Error making API request.
URL: PUT https://my-vault.local/v1/auth/kc/login
Code: 500. Errors:
* unhandled case during login
I would appreciate any insight of what am I doing wrong and how to move forward and be able to authenticate to vault using my keycloak jwt token.
thank you