Pre-create vault_identity_entity and vault_identity_entity_alias for oidc mount?

ahnberg · September 5, 2022, 8:08pm

I’ve configured my vault to use oidc as auth method and pointed it to my company IDP.

I’m trying to figure out how I can create an entity for a new employee and bind an alias for their future OIDC login using terraform, and bind this alias to the entity.

Right now when the user has logged on the first time, I see the mount path and all, but BEFORE the user has logged on at all, how can I pre-create the oidc mount for the user and connect it to the right entity using terraform?

The goal is to allow our operations team to pre-create the users and all relevant policies in vault using terraform before the user has even started at the company, so the first day of joining the company everything “just works”.

maxb · September 5, 2022, 9:03pm

The Vault entity / entity-alias system is indeed quite confusingly named.

Realising a couple of key facts helps a lot with understanding it:

First: An entity-alias is a pair of a particular auth method, and a string identifying a particular user of that auth method.

So in your case:

the auth method would be the particular instance of the OIDC auth method you have enabled and configured in your Vault
the string would be whatever value your OIDC identity provider sends in the claim you configured as user_claim in Vault: https://www.vaultproject.io/api-docs/auth/jwt#user_claim

Second: An entity is just a way of grouping together multiple entity-aliases (which must be from different auth methods), in case you want to, for example, treat “ahnberg logging in via OIDC” as the same identity as “ahnberg logging in via some other backup authentication method you set up”.

However, a lot of the time, this grouping functionality goes unused, and all/most entities just have a single entity-alias each.

So, in your case, you just need to figure out what your OIDC provider will call the new user, and then you can set up the Vault entity and entity-alias using that.

ahnberg · September 6, 2022, 9:46am

Thank you!
I had understood the concept of identity and identity_alias well. I love the idea!

My confusion was the vault_identity_entity_alias resource in terraform where I assumed wrongly that mount_accessor argument was a unique string per user, while in fact it was the same string for each user based on the OIDC mount accessor only.

Now it became super simple:

resource "vault_identity_entity" "entity" {
    name = "${var.username}"
    policies = ["${var.username}-ssh-policy"]
    metadata = {
        organization = "${var.org}"
    }
}

resource "vault_identity_entity_alias" "oidc-alias" {
    name = "${var.username}@${var.domain}"
    mount_accessor = "auth_oidc_6c3ef142"
    canonical_id = vault_identity_entity.entity.id
}