Set up Vault OIDC with Cognito and Google idp
Even though there is a pretty good guide already on how to configure oidc with vault, I have gone through a fair bit of pain to configure it with both Google and AWS Cognito because I couldn’t find any documentation that applied exactly to these tools and because oidc is also confusing to understand and use. So hopefully this guide can assist you in setting up your vault oidc flow and save you some time.
At the end of this guide you should be able to login with Vault with your google credentials and manage user group membership with Cognito.
- Google will be your idp.
- Cognito will handle your authorization.
Set up idp with Google
This assumes that you have an organisation set up with google.
Google is used to authenticate your users. In our workflow we will only allow google users that come from our internal organisation. Using google as our idp has the advantage that we do not need to provide users with an additional set of user credentials that they could lose. Also this already supports 2FA.
- Go to your GCP console and select API and Services
2. Select Credentials and then in Create Credentials select OAuth client ID
3. Select web application you can leave redirects blank for now but they will look something like this:
- Authorised Javascript origins: https://your-domain.auth.eu-west-1.amazoncognito.com
- Authorised Redirect URIs: https://your-domain.auth.eu-west-1.amazoncognito.com/oauth2/idpresponse
After creating this you will get an id and a secret which you will need later in Cognito
4. Go into the OAuth consent screen and make sure that internal is selected as such (This is required if you only want people in your organisation to be able to login with their gmail account)
Set up the Authorization with Cognito
In this part we are using Cognito to manage users and assigning them to groups. In this flow a user would try to log in to vault with the monese account to a default policy, once that’s done we can add the user to a group with the pertinent permissions for him or her to do her job in vault.
- Go to AWS cognito in the Vault account and select Manage User Pools
2. In this case we already created one called vault. If it doesn’t exist, you can create one with defaults.
3. Go to identity providers and select Google. Fill in the details we got from the previous section as shown on the photo. You will get these details from step 3 on the google section above.
4. Go to Attribute Mapping and ensure it is like this:
5. Go to groups and create one, in this case we are creating one called admin.
6. Create an App Client which will yield a clientid as such:
7. Ensure that your app client settings are like the screenshot below, your callback URLs for vault should look be like this:
- For the UI: https://yourvaulturl/ui/vault/auth/oidc/oidc/callback
- For everything else: http://localhost:8250/oidc/callback
8. And you set a name for your domain like this:
Set up Vault with Cognito OIDC
Here we are setting up vault to work with Cognito. Vault will request Cognito and Cognito will bounce the user to Google for authentication.
All the steps below are done with the vault cli, some you can also do in the ui but it is easier to just do it this way.
- Declare variables with the data you will need to pass to the command.
export OIDC_CLIENT_SECRET="supersecret"
export OIDC_DISCOVERY_URL="https://cognito-idp.YOURREGION.amazonaws.com/USERPOOLID"
export OIDC_CLIENT_ID="YOUR_OIDC_CLIENT_ID"
export REDIRECT_URL_UI="https://yourvaulturl/ui/vault/auth/oidc/oidc/callback"
export REDIRECT_URL_CLI="http://localhost:8250/oidc/callback"The oidc discovery url follows this format
https://cognito-idp.{region}.amazonaws.com/{userPoolId}you can find this in General Settings within Cognito user pool.
2. Set up the oidc auth config method.
vault write auth/oidc/config \ oidc_discovery_url="$OIDC_DISCOVERY_URL" \ oidc_client_id="$OIDC_CLIENT_ID" \ oidc_client_secret="$OIDC_CLIENT_SECRET" \ default_role="default"3. Set up a default role for users accessing Vault within your organisation
vault write auth/oidc/role/default \ bound_audiences="$OIDC_CLIENT_ID" \ allowed_redirect_uris="$REDIRECT_URL_UI" \ allowed_redirect_uris="$REDIRECT_URL_CLI" \
user_claim="sub" \
policies="default" \
groups_claim="cognito:groups"The default policy gives very basic access to vault, you will only be able to access the console and create cubbyholes (personal secrets attached to the lifetime of your token). This is good as a point of entry to register your users in Cognito so they can then be assigned to groups.
Assign a policy and role to a matching group in Cognito
In this section you will add a policy to a matching role that will also be in Cognito. Whatever role and policy you define here will grant access to the members of that group in Cognito.
Before doing the steps below, create a policy in vault called admin. It doesn’t matter what permissions you give that policy, this is just to test this is working.
- Define an external group identity, assign it a policy, and mount an alias accessor to oidc. The last part is to ensure that the group knows to fetch group information from your oidc provider.
GROUP_ID=$(vault write identity/group name="admin" type="external" policies="admin" metadata=responsibility="Manage Vault" -format=json | jq -r '."data".id')# Get OIDC accessor. ACCESSOR="$(vault auth list -format=json | jq -r '."oidc/".accessor')"# Attach the identity vault write identity/group-alias name="admin" \ mount_accessor="$ACCESSOR" \
canonical_id="$GROUP_ID"
This last section can be repeated every time you need to add a group to Vault. Create a policy, and follow these steps.
The Result
Once you are done you will see the button Sign in with OIDC Provider, press it and you will be redirect to authenticate with google:
Please note that in order to see Google users in Cognito they will need to try to login it once with the default credentials, once this is done you will be able to see their users in Cognito and then add them to the appropriate group.
