Creates an Identity OIDC Named Key for Vault Identity secrets engine which is used by a role to sign identity tokens.
The Identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault.
Use this with vault_identity_oidc_key
and vault_identity_oidc_key_allowed_client_id
to configure a Role to generate Identity Tokens.
resource "vault_identity_oidc_key" "key" {
name = "key"
algorithm = "RS256"
}
resource "vault_identity_oidc_role" "role" {
name = "role"
key = vault_identity_oidc_key.key.name
}
resource "vault_identity_oidc_key_allowed_client_id" "role" {
key_name = vault_identity_oidc_key.key.name
allowed_client_id = vault_identity_oidc_role.role.client_id
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
name
- (Required; Forces new resource) Name of the OIDC Key to create.
rotation_period
- (Optional) How often to generate a new signing key in number of seconds
verification_ttl
- (Optional) "Controls how long the public portion of a signing key will be
available for verification after being rotated in seconds.
algorithm
- (Optional) Signing algorithm to use. Signing algorithm to use.
Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
allowed_client_ids
: Array of role client ID allowed to use this key for signing. If
empty, no roles are allowed. If ["*"]
, all roles are allowed.
In addition to all arguments above, the following attributes are exported:
id
- The name of the created key.The key can be imported with the key name, for example:
$ terraform import vault_identity_oidc_key.key key