使用Azure Active Directory登录Hashicorp Vault

假设你已经开开心心搭好了Vault服务器,想配置一个Azure AD登录,打开了Azure Authentication,结果发现它是给Azure虚拟机认证自己用的。这样当然不行。要使用Azure AD认证用户,必须使用OIDC(OpenID Connect)认证流程。

Mount一个Vault auth

首先我们用现有的credential登录一下。

➜  ~ export VAULT_ADDR="http://127.0.0.1:8200"
➜  ~ vault login                           
Token (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                xxxxxxxx
token_accessor       xxxxxxxx
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

然后添加一个OIDC认证(这里假设mount path为azuread,下同):

➜  ~ vault auth enable -path=azuread oidc
Success! Enabled oidc auth method at: azuread/

AAD注册App

接下来我们需要去Azure Portal创建相应的应用程序。前往Azure Portal -> Azure Active Directory -> App Registrations (Preview) -> New registration,填入:

  • Name:随意
  • Supported account types:根据实际情况选择
  • Redirect URI: http://localhost:8250/oidc/callback(注意这里的端口号)

保存。

在Authentication中,添加Redirect URI(如果你不需要某种方式,那么就不要写):

  • http://localhost:8250/oidc/callback(用于vault client本地登录)
  • https://vault-server/ui/vault/auth/azuread/oidc/callback(用于Vault web UI登录)

Logout URL:https://vault-server/ui/vault/logout

在API permissions中添加一个permission,选择Azure Active Directory Graph -> Delegated permissions -> Group -> Group.Read.All。

在Manifest中,把"groupMembershipClaims": null改成"groupMembershipClaims": "SecurityGroup"

前往Certificates & secrets,创建一个Client secret。

在这一步完成后,我们总共收集到了三个字符串:

  • tenant ID
  • client ID
  • client secret

向Vault写入设置

auth config

{
    "oidc_discovery_url": "https://login.microsoftonline.com/{tenant_id}/v2.0",
    "oidc_client_id": "{client_id}",
    "oidc_client_secret": "{client_secret}",
    "default_role": "default"
}
➜  ~ vault write auth/azuread/config @azuread-auth-config.json
Success! Data written to: auth/azuread/config

role config

{
    "allowed_redirect_uris": [
        "http://localhost:8250/oidc/callback",
        "https://vault-server/ui/vault/auth/azuread/oidc/callback"
    ],
    "bound_audiences": [
        "{client_id}"
    ],
    "claim_mappings": {
        "email": "email",
        "name": "name",
        "roles": "roles",
        "tenant": "tid"
    },
    "groups_claim": "groups",
    "oidc_scopes": [
        "User.Read",
        "Group.Read.All"
    ],
    "policies": [
        "default"
    ],
    "role_type": "oidc",
    "user_claim": "sub"
}
➜  ~ vault write auth/azuread/role/default @azuread-test-defaultrole.json
Success! Data written to: auth/azuread/role/test-role

设置登录方式对未登录用户可见

设置listing_visibility即可。

测试

尝试登录一下:

➜  ~ vault login -method=oidc -path=azuread role=test-role
Complete the login via your OIDC provider. Launching browser to:

    https://login.windows.net/{tenant_id}/oauth2/authorize?client_id={client_id}&nonce=xxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid&state=xxxxxxxx


Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                xxxxxxxx
token_accessor       xxxxxxxx
token_duration       30m
token_renewable      true
token_policies       ["default"]
identity_policies    []
policies             ["default"]
token_meta_role      default

参考:

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据