Thrid party authentication vs approl for a cicd pipeline

Masber · October 7, 2021, 10:51am

Dear hashicorp community,

I am learning hashicorp vault and reading this tutorial it says third party authentication should be used instead of approle if available.

Now, I would like to authenticate my cicd pipeline through hashicorp vault and I want to use OIDC authentication. When I go to its documentation it says that a web browser will be open in order to authenticate, my cicd pipeline can’t authenticate in that way.

I would like to follow best practices and try OICD authentication method, but at the same way, I would like to use it in a “unattended way” for my cicd pipeline.

How could I do that?

thank you

jeffsanicola · October 7, 2021, 12:05pm

JWT auth is similar but can be used for automated use cases.

GitLab has a pretty good write up on this: Using external secrets in CI | GitLab

aram · October 7, 2021, 11:28pm

AppRole and OIDC serve two different “primary” purposes, although they can be used for other as well.

AppRole is programmatic authentication for applications, tools, etc. Right now it is the right solution for 99.9% of the people out there. The option of 3rd party auth is there but I haven’t run across many that work as well.

OIDC is user authentication, like LDAP or AD auth to get users a token.

Topic		Replies	Views
Vault as an OAuth/OIDC Identity Provider Vault	7	3086	December 13, 2021
Error Authenticating: Unable to authorize role OIDC Vault vault	11	11607	July 14, 2020
SSO oidc auth and jwt authentication on external provider Vault vault	0	3	January 13, 2025
Vault login OIDC via Onelogin Vault vault	9	835	June 16, 2023
Looking for a way to use OIDC as Secrets Engine Vault	0	238	October 13, 2020

Thrid party authentication vs approl for a cicd pipeline

Related topics