azuread-oidc
devops-rob/azuread-oidc/vault
This terraform module enables and configures the OIDC auth method in HashiCorp Vault to use Azure Active Directory as an Identity Provider.
Azure OIDC Auth Method for HashiCorp Vault This terraform module enables and configures the OIDC auth method in HashiCorp Vault to use Azure Active Directory as an Identity Provider. In order to use this module, a Service Principal will need to be provisioned with GroupMember.Read.All API permissions in Microsoft Graph. Admin consent must be granted to the default directory for this permission. The [Azure AD Application for Vault Terraform module]() is a great companion module as it provisions the application with the required permissions for OIDC to be correctly configured. If using the module, admin consent must still be granted for the default directory. In order to map Azure AD groups to Vault groups that are tied to the OIDC auth method, the [Vault Azure AD Groups Module]() can also b
| Name | Type | Description | Default |
|---|---|---|---|
| client_id | string | The client id for credentials to query the Azure APIs. Currently read permission | |
| client_secret | string | The client secret for credentials to query the Azure APIs. | |
| app_owners | list(string) | A set of object IDs of principals that will be granted ownership of the applicat | |
| tenant_id | string | The tenant id for the Azure Active Directory organization. | |
| azure_role_name | string | The name of the role. | "default" |
| allowed_redirect_uris | list(string) | [
"http://localhost:8200/oidc/callback | |
| vault_ui_redirect_address | string | DNS hostname or IP address of Vault's UI. | "http://localhost:8200" |
| vault_cli_redirect_address | string | DNS hostname or IP address of Vault's CLI. | "http://localhost:8250" |
| oidc_scopes | list(string) | [
"https://graph.microsoft.com/.defaul |
tenant_id — Tenant ID of Azure subscription.auth_method — Path that the auth method is mounted at.mount_accessor — Mount accessor ID for auth method.