terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard
verified publisher icon hashicorp

Add support for Login MFA

Open clintmod opened this issue 3 years ago • 7 comments

Add support for the new (1.10) Login MFA feature.

clintmod avatar May 02 '22 18:05 clintmod

Hi @clintmod, just wanted to let you know that we currently have this feature in our back log. We have no ETA on its delivery as of yet. We'll update this issue once we know more.

Thanks,

Ben

benashz avatar May 02 '22 19:05 benashz

I have attempted to configure this via the vault_generic_endpoint provider. It doesn't seem possible to do the vault write -field via that provider.

vault write -field method_id identity/mfa/method/okta org_name="$OKTA_ORG" api_token="$OKTA_TOKEN" base_url="$OKTA_BASE_URL" username_format="{{identity.entity.aliases.${OKTA_AUTH_ACCESSOR}.name}}@company.com"

resource "vault_generic_endpoint" "login_mfa" {
  depends_on           = [vault_okta_auth_backend.company]
  path                 = "identity/mfa/method/okta"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "api_token":"${var.OKTA_TOKEN}",
  "base_url":"${var.OKTA_BASE_URL}",
  "org_name":"${var.OKTA_ORG}",
  "username_format":"{{identity.entity.aliases.${vault_okta_auth_backend.company.accessor}.name}}@company.com"
}
EOT
}

trodemaster avatar Jun 07 '22 17:06 trodemaster

Looks like this was implemented in https://github.com/hashicorp/terraform-provider-vault/pull/1395 and released in 3.8.0

clintmod avatar Aug 02 '22 15:08 clintmod

@clintmod My understanding of this ticket is to implement support for the (non-enterprise) Login MFA feature that shipped with Vault 1.10.

The PR #1395 you're referring to has been released before you opened this ticket here (20th of April) with version 3.50 and appears to only introduce support for Vault Enterprise MFA.

soerenschneider avatar Aug 04 '22 11:08 soerenschneider

@soerenschneider you're right my bad reopening

clintmod avatar Aug 04 '22 18:08 clintmod

There's even a note on this page: https://learn.hashicorp.com/tutorials/vault/active-directory-mfa-login-totp?in=vault/secrets-management#prerequisites

NOTE: The Login MFA integration introduced in version 1.10.0 is a new solution, and should not be confused with the legacy open source MFA or Enterprise Step Up MFA solutions. The solution covered in this tutorial is the preferred way to enable MFA for auth methods in all editions of Vault version 1.10.0 or greater.

clintmod avatar Aug 04 '22 18:08 clintmod

Hi, this feature request should be addressed during the Vault 1.12 release time frame. We are targeting the middle of October for the release, so more than likely it will be included in 3.10.0.

benashz avatar Aug 04 '22 19:08 benashz