The Vault OIDC auth method has CLI parameters available which allow the callback listener to be customized. Utilizing the
listenhost parameters, it is possible to achieve the goal of this guide.
Upon completion of this guide, it will be possible to login via CLI with OIDC auth on a headless server.
Prerequisites (if applicable)
- Vault v1.5 or later running on the remote server
- Vault OIDC auth method already configured
- Vault CLI on a local machine
- Internet browser on local machine
- Familiarity with operating Vault
- Familiarity with OIDC / OIDC auth method
A Vault operator may need to authenticate via OIDC from a remote server which has no internet browser.
This guide assumes the OIDC auth method is already configured and servicing logins. This guide will walk through the changes needed to make CLI login via a headless server work.
If OIDC auth has not been set up, please visit OIDC Provider Configuration.
The OIDC Auth Method tutorial linked at the bottom of this guide was used to set up a working example with Auth0 as the provider. The remote server used is an EC2 instance with a public IP.
- Write the role configuration, adding the IP to the remote server as an allowed redirect URI:
vault write auth/oidc/role/reader \
allowed_redirect_uris="http://<EC2 IP Address>:8250/oidc/callback" \
allowed_redirect_uris="http://<EC2 IP Address>:8200/ui/vault/auth/oidc/oidc/callback" \
The above example role config includes three redirect URIs. The first two allow CLI and UI login on the remote host. The third allows CLI login from a local machine to the remote host.
Add the same three URIs to the list of allowed callback URLs in your OIDC provider.
- Perform the CLI login from the remote server:
vault login -method=oidc role="reader" \
listenaddress="<EC2 IP Address>" \
callbackhost="<EC2 IP Address>"
Note: In the above login command, it is not necessary to include the method (http/https) or the port.
Complete the login via your OIDC provider. Launching browser to:
Error attempting to automatically open browser: '1 error occurred:
* exec: "xdg-open": executable file not found in $PATH
Please visit the authorization URL manually.Waiting for OIDC authentication to complete...
- Copy/Paste the URL provided in the response in to the browser on your local machine.
- The Vault UI will display the message:
- The remote CLI will complete authentication with this output:
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
token_policies ["reader" "default"]
policies ["reader" "default"]