Creates an Identity OIDC Role for Vault Identity secrets engine to issue identity tokens.
The Identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault.
Use this with vault_identity_oidc_key
and vault_identity_oidc_key_allowed_client_id
to configure a Role to generate Identity Tokens.
You need to create a role with a named key. At creation time, the key can be created independently of the role. However, the key must exist before the role can be used to issue tokens. You must also configure the key with the role's Client ID to allow the role to use the key.
variable "key" {
description = "Name of the OIDC Key"
default = "key"
}
resource "vault_identity_oidc_key" "key" {
name = var.key
algorithm = "RS256"
allowed_client_ids = [
vault_identity_oidc_role.role.client_id
]
}
resource "vault_identity_oidc_role" "role" {
name = "role"
key = var.key
}
If you want to create the key first before creating the role, you can use a separate resource to configure the allowed Client ID on the key.
resource "vault_identity_oidc_key" "key" {
name = "key"
algorithm = "RS256"
}
resource "vault_identity_oidc_role" "role" {
name = "role"
key = vault_identity_oidc_key.key.name
}
resource "vault_identity_oidc_key_allowed_client_id" "role" {
key_name = vault_identity_oidc_key.key.name
allowed_client_id = vault_identity_oidc_role.role.client_id
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
name
- (Required; Forces new resource) Name of the OIDC Role to create.
key
- (Required; Forces new resource) A configured named key, the key must already exist
before tokens can be issued.
template
- (Optional) The template string to use for generating tokens. This may be in
string-ified JSON or base64 format. See the
documentation
for the template format.
ttl
- (Optional) TTL of the tokens generated against the role in number of seconds.
client_id
- (Optional) The value that will be included in the aud
field of all the OIDC identity
tokens issued by this role
In addition to all arguments above, the following attributes are exported:
id
- The name of the created role.The key can be imported with the role name, for example:
$ terraform import vault_identity_oidc_role.role role