This repository was archived by the owner on Feb 28, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcli.go
More file actions
58 lines (45 loc) · 1.38 KB
/
cli.go
File metadata and controls
58 lines (45 loc) · 1.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package oidc
import (
"fmt"
"os"
"strings"
"github.com/hashicorp/vault/api"
)
type CLIHandler struct{}
func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
mount, ok := m["mount"]
if !ok {
mount = "oidc"
}
token, ok := m["token"]
if !ok {
if token = os.Getenv("VAULT_AUTH_OIDC_TOKEN"); token == "" {
return "", fmt.Errorf("OpenID Connect (OIDC) token should be provided either as 'value' for 'token' key,\nor via an env var VAULT_AUTH_OIDC_TOKEN")
}
}
path := fmt.Sprintf("auth/%s/login", mount)
secret, err := c.Logical().Write(path, map[string]interface{}{
"token": token,
})
if err != nil {
return "", err
}
if secret == nil {
return "", fmt.Errorf("empty response from credential provider")
}
return secret.Auth.ClientToken, nil
}
func (h *CLIHandler) Help() string {
help := `
The OpenID Connect credential provider allows you to authenticate with OIDC providers.
To use it, specify the "token" parameter. The value should be the user's identity
token for the OIDC provider. Usually you should get a new OIDC identity token with a third
party CLI tool.
Example: vault auth -method=oidc token=<token>
Key/Value Pairs:
mount=oidc The mountpoint for the OIDC credential provider.
Defaults to "oidc"
token=<token> The OIDC identity token for authentication.
`
return strings.TrimSpace(help)
}