vault and oidc usage?

[sereinity]

Hello,

I wanted to give the tool a try, and wonder what could be a proper usage of it when using an oidc authentication method.

I configured only the endpoint and hit vault login -method=oidc on each context switching, is there a better way?

[devops-rob]

Hi @sereinity Currently not unfortunately. What would the ideal UX be for you?

[sereinity]

A quick tough:

target vault create example-oidc --endpoint=https://example-vault.com:8200 --method=oidc
target vault create example-token --endpoint=https://example-vault.com:8200 --token=mytoken
eval $(target vault select example-oidc)
vault login
vault read …
eval $(target vault select example-token)
vault read …
eval $(target vault select example-oidc)
# no need to login has the previous token for this profile is still valid
vault read …

Bonus:

• target vault create --auto-login=true to run vault login automatically on select
• a friendly warning about obsolete token on select

Vault should support using a -method from an environment variable, which seems to not exists right now, a target vault login may help.

Also, target may provide a token helper to store/get/set tokens by profile.

[davidusken]

Just installed this tool and also noticed there was no OIDC method so +1 for this