23/06/2026

Vault – keycloak ile yetkilendirme

Bir app icin bazi passwordleri ve api tokenlari saklayacagiz ancak bir group okuyabilirken bir grup hem okuma hemde yazma yapabilecek.

Secret engine

Önce secret engine i enable edelim

vault secrets enable -path=server-updates kv

Keycloak client ayarlama

sonra keycloak üzerinde “client” olusturalim.

Client ID: vault_extern
Access type: confidential
Standard Flow:  enabled
redireck URIs:
http://localhost:8250/oidc/callback
https://<vault-url>/ui/vault/auth/oidc/oidc/callback

Client Scopes → Mappers:

Mapper Type: Group Membership
Token Claim Name: groups
Add to ID token
Full group path: OFF

Client Secreti sakliyoruz !!!!!

Vault OIDC ayarlama


vault auth enable oidc


vault write auth/oidc/config \
  oidc_discovery_url="https://<keycloak-url>/auth/realms/<realm>" \
  oidc_client_id="vault_extern" \
  oidc_client_secret="<client-secret>" \
  default_role="default"

Vault policyleri

admin-policy.hcl

path "server-updates/data/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "server-updates/metadata/*" {
  capabilities = ["list", "read", "delete"]
}

path "sys/internal/ui/mounts/*" {
  capabilities = ["read"]
}

read-policy.hcl

path "server-updates/data/*" {
  capabilities = ["read"]
}

path "server-updates/metadata/*" {
  capabilities = ["list"]
}

path "sys/internal/ui/mounts/*" {
  capabilities = ["read"]
}

apply policies

vault policy write admin-policy admin-policy.hcl
vault policy write read-policy read-policy.hcl

grouplari olusturmamiz gerekiyor.

vault write identity/group name="admins" \
  type="external" \
  policies="admins-policy"

type = external cünkü oidc den gelecek.

vault write identity/group name="read" \
  type="external" \
  policies="read-policy"

Keycloak Groups → Vault Groups

oidc accessor u alin

vault auth list

auth_oidc_XXXXX

group idlerini alin

vault read identity/group/name/admins
vault read identity/group/name/read

aliaslari olusturun

vault write identity/group-alias \
  name="admins" \
  mount_accessor="auth_oidc_XXXXX" \
  canonical_id="<GROUP_ID>"
vault write identity/group-alias \
  name="read" \
  mount_accessor="auth_oidc_XXXXX" \
  canonical_id="<GROUP_ID>"

OIDC Role olusturun

vault write auth/oidc/role/default \
  bound_audiences="vault_extern,account" \
  allowed_redirect_uris="http://localhost:8250/oidc/callback" \
  allowed_redirect_uris="https://<vault-url>/ui/vault/auth/oidc/oidc/callback" \
  user_claim="preferred_username" \
  groups_claim="groups" \
  ttl="1h"

login olun

vault login -method=oidc