bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
titan-iac/services/vault/scripts/vault_oidc_configure.sh

78 lines
2.3 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
log() { echo "[vault-oidc] $*"; }
status_json="$(vault status -format=json || true)"
if [[ -z "${status_json}" ]]; then
log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
exit 1
fi
if ! grep -q '"initialized":true' <<<"${status_json}"; then
log "vault not initialized; skipping"
exit 0
fi
if grep -q '"sealed":true' <<<"${status_json}"; then
log "vault sealed; skipping"
exit 0
fi
: "${VAULT_OIDC_DISCOVERY_URL:?set VAULT_OIDC_DISCOVERY_URL}"
: "${VAULT_OIDC_CLIENT_ID:?set VAULT_OIDC_CLIENT_ID}"
: "${VAULT_OIDC_CLIENT_SECRET:?set VAULT_OIDC_CLIENT_SECRET}"
role="${VAULT_OIDC_DEFAULT_ROLE:-atlas}"
scopes="${VAULT_OIDC_SCOPES:-openid profile email groups}"
user_claim="${VAULT_OIDC_USER_CLAIM:-preferred_username}"
groups_claim="${VAULT_OIDC_GROUPS_CLAIM:-groups}"
token_policies="${VAULT_OIDC_TOKEN_POLICIES:-default}"
redirect_uris="${VAULT_OIDC_REDIRECT_URIS:-https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback}"
bound_audiences="${VAULT_OIDC_BOUND_AUDIENCES:-${VAULT_OIDC_CLIENT_ID}}"
bound_claims="${VAULT_OIDC_BOUND_CLAIMS:-}"
bound_claims_type="${VAULT_OIDC_BOUND_CLAIMS_TYPE:-}"
if ! vault auth list -format=json | grep -q '"oidc/"'; then
log "enabling oidc auth method"
vault auth enable oidc
fi
log "configuring oidc auth"
vault write auth/oidc/config \
oidc_discovery_url="${VAULT_OIDC_DISCOVERY_URL}" \
oidc_client_id="${VAULT_OIDC_CLIENT_ID}" \
oidc_client_secret="${VAULT_OIDC_CLIENT_SECRET}" \
default_role="${role}"
vault auth tune -listing-visibility=unauth oidc >/dev/null
role_args=(
"user_claim=${user_claim}"
"oidc_scopes=${scopes}"
"token_policies=${token_policies}"
"bound_audiences=${bound_audiences}"
)
if [[ -n "${groups_claim}" ]]; then
role_args+=("groups_claim=${groups_claim}")
fi
if [[ -n "${bound_claims}" ]]; then
role_args+=("bound_claims=${bound_claims}")
fi
if [[ -n "${bound_claims_type}" ]]; then
role_args+=("bound_claims_type=${bound_claims_type}")
fi
IFS=',' read -r -a redirect_items <<<"${redirect_uris}"
for uri in "${redirect_items[@]}"; do
trimmed="${uri#"${uri%%[![:space:]]*}"}"
trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
if [[ -n "${trimmed}" ]]; then
role_args+=("allowed_redirect_uris=${trimmed}")
fi
done
log "configuring oidc role ${role}"
vault write "auth/oidc/role/${role}" "${role_args[@]}"
Reference in New Issue View Git Blame Copy Permalink