Dear Vault community,
I am trying to integrate our vault test environment with a test keycloak installation. My goal is to authenticate to vault using a keycloak jwt token. I am not an expert on jwt authentication in general hence I may have had things mixed…
Steps to setup the environment below:
Create keycloak client
Enable jwt authentication in vault
vault auth enable -path=kc jwt
Setup the jwt auth method
vault write auth/kc/config \ oidc_discovery_url="https://auth-tds.mydomain.local/auth/realms/xxx" \ oidc_client_id="poc_auth" \ oidc_client_secret="mysecret" \ default_role="test"
Authenticate to keycloak to get token. Inspect the token for the sub, aud fields
Setup vault role
vault write auth/kc/role/test \ role_type=jwt \ bound_subject="97516847-fd75-4220-9d9c-0da0707f2200" \ bound_audiences="account" \ user_claim="aud" \ policies="my-test-policy" \ ttl=1h
Authenticate against vault using the keycloak jwt token generated in the previous step
vault write auth/kc/login role=test jwt=...
This last step gives me the following output:
Error writing data to auth/kc/login: Error making API request. URL: PUT https://my-vault.local/v1/auth/kc/login Code: 500. Errors: * unhandled case during login
I would appreciate any insight of what am I doing wrong and how to move forward and be able to authenticate to vault using my keycloak jwt token.