terraform-provider-vault
terraform-provider-vault copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
[terraform-provider-vault] Connection to Vault Using OIDC
Hi,
Sorry if this has been answered earlier.
Is there a way that I could configure my provider vault to use OIDC authentification ? Such as this (doesn't work) :
provider "vault" {
version = "=2.12"
address = "https://vault.${terraform.workspace}.mydomain.fr"
auth_login {
path = "auth/oidc/login/"
parameters = {
role = "admin"
}
}
}
Thanks,
I hadn't found any. I just created a wrapper script that'd run the vault login before running terraform.
FWIW, the closest to vault login -method=oidc -path=auth0-oidc I got with the provider was this configuration:
provider "vault" {
address = local.vault_address
auth_login {
path = "/auth/auth0-oidc/oidc/auth_url"
parameters = {
"redirect_uri" = "http://localhost:8250/oidc/callback"
}
}
}
But it then crashes the provider:
panic: runtime error: invalid memory address or nil pointer dereference
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xf4083b]
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4:
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: goroutine 53 [running]:
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: github.com/terraform-providers/terraform-provider-vault/vault.providerConfigure(0xc00049e230, 0x0, 0xc00000c660, 0xc00049e230, 0x0)
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vault/provider.go:708 +0x91b
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Configure(0xc0001f9a00, 0xc00007ff80, 0x116e660, 0xc00007fdd0)
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform-plugin-sdk/helper/schema/provider.go:275 +0xf6
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).Configure(0xc00018e7a0, 0x15d8720, 0xc00007ef30, 0xc0006ac340, 0xc00018e7a0, 0xc00007ef30, 0xc000353a48)
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin/grpc_provider.go:487 +0x2e6
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_Configure_Handler(0x12c8560, 0xc00018e7a0, 0x15d8720, 0xc00007ef30, 0xc000191020, 0x0, 0x15d8720, 0xc00007ef30, 0xc0001ac840, 0x144)
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vendor/github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5/tfplugin5.pb.go:3135 +0x217
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: google.golang.org/grpc.(*Server).processUnaryRPC(0xc0004ae160, 0x15e4c80, 0xc000683b00, 0xc00021a400, 0xc00007e720, 0x1ec1078, 0x0, 0x0, 0x0)
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vendor/google.golang.org/grpc/server.go:995 +0x460
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: google.golang.org/grpc.(*Server).handleStream(0xc0004ae160, 0x15e4c80, 0xc000683b00, 0xc00021a400, 0x0)
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vendor/google.golang.org/grpc/server.go:1275 +0xd3d
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc0006a8140, 0xc0004ae160, 0x15e4c80, 0xc000683b00, 0xc00021a400)
2020-09-09T09:17:53.172+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vendor/google.golang.org/grpc/server.go:710 +0xa1
2020-09-09T09:17:53.173+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: created by google.golang.org/grpc.(*Server).serveStreams.func1
2020-09-09T09:17:53.173+0200 [DEBUG] plugin.terraform-provider-vault_v2.13.0_x4: /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-vault/vendor/google.golang.org/grpc/server.go:708 +0xa1
2020-09-09T09:17:53.175+0200 [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/hashicorp/vault/2.13.0/linux_amd64/terraform-provider-vault_v2.13.0_x4 pid=3587515 error="exit status 2"
2020/09/09 09:17:53 [ERROR] eval: *terraform.EvalConfigProvider, err: rpc error: code = Unavailable desc = transport is closing
2020/09/09 09:17:53 [ERROR] eval: *terraform.EvalSequence, err: rpc error: code = Unavailable desc = transport is closing
2020/09/09 09:17:53 [ERROR] eval: *terraform.EvalOpFilter, err: rpc error: code = Unavailable desc = transport is closing
2020/09/09 09:17:53 [ERROR] eval: *terraform.EvalSequence, err: rpc error: code = Unavailable desc = transport is closing
2020/09/09 09:17:53 [TRACE] [walkRefresh] Exiting eval tree: provider["registry.terraform.io/hashicorp/vault"]
Which I believe is caused by the lack of OIDC url handling in the provider.
Hi Folks,
This work is planned to take place during Vault 1.12 release time frame. So it should be done some time before the beginning of October. This is part of broader initiative to fix up most auth/login issues across the board.
Thanks,
Ben
