Skip to main content

OpenBao UI SSO

warning

You need to have Keycloak and OpenBao up and running before proceeding with this guide.

https://openbao.org/docs/auth/jwt/oidc-providers/keycloak/

Create Client in Keycloak with the following settings. Replace <CLUSTER_DOMAIN> with actual value.

SettingValue
Client IDopenbao
Root URLhttps://openbao.<CLUSTER_DOMAIN>
Redirect URIs/ui/vault/auth/oidc/oidc/callback
/v1/auth/oidc/*
http://localhost:8250/oidc/callback

Enable OIDC auth method in OpenBao:

kubectl exec -ti openbao-0 -n openbao -- bao auth enable oidc

Configure OIDC auth method in OpenBao. Replace <CLIENT_SECRET> and <CLUSTER_DOMAIN> with actual values.

kubectl exec -ti openbao-0 -n openbao -- bao write auth/oidc/config \
  oidc_client_id="openbao" \
  oidc_client_secret="<CLIENT_SECRET>" \
  default_role="admin-sso" \
  oidc_discovery_url="https://account.<CLUSTER_DOMAIN>/realms/nursery"

Create OIDC role in OpenBao. Replace <CLUSTER_DOMAIN> with actual value.

warning

The example below allows any user in the "Admins" group in Keycloak to log in to OpenBao with admin privileges. Adjust the configuration according to your security requirements.

kubectl exec -ti openbao-0 -n openbao -- bao write auth/oidc/role/admin-sso - <<EOF
{
    "role_type": "oidc",
    "user_claim": "email",
    "token_policies": "admin,default",
    "oidc_scopes": "profile,email",
    "bound_claims": { "groups": ["/Admins"] },
    "allowed_redirect_uris": "https://openbao.<CLUSTER_DOMAIN>/v1/auth/oidc/callback,https://openbao.<CLUSTER_DOMAIN>/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback"
}
EOF

Create admin policy in OpenBao that allows managing kv secrets:

kubectl exec -ti openbao-0 -n openbao -- bao policy write admin - <<EOF
# Allow a token to manage kv secrets
path "kv/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}
EOF