Reading and writing keycloak secrets to hashicorp vault using vault spi

[Ujjavala Singh]

I am currently working with a java identity service where I have created a customized vault (hashicorp) provider using the vault spi. I have used this extension to add the vault provider.The provider is integrated now, and I am able to see it in the provider list. Wanted to check how can I store and retrieve keycloak secrets (like realm ids, ldap credentials, external tokens etc) from this vault.

[Cédric Couralet]

Hello,

You should use the extension from here : https://github.com/InseeFrLab/keycloak-hashicorp-vault-ext

Normally you can use it by inputing ${vault.key} in the field, keycloak will then use the configured provider to fetch the key. That said, we didn't really test this extension with newer keycloak version, so there may be some bugs, don't hesitate to message me if anything goes wrong (as it will surely not be keycloak related :) )

Best Regards,

Cédric Couralet

[Ujjavala Singh]

Hello

I did use the extension : https://github.com/InseeFrLab/keycloak-hashicorp-vault-ext.  The extension works fine and I have a vault configured now. My question was about the next step. I want keycloak to not store sensitive entries into its database, instead store and retrieve such sensitive data from the integrated hashicorp vault. Are there any leads on that?

[Cédric Couralet]

Yes, as indicated here : https://www.keycloak.org/docs/latest/server_admin/index.html#_vault-administration

You can use  ${vault.key} in the field you want (smtp password, ldap credential, oidc secret) to fetch the secret "key" from vault. You need to create that secret before using it, the provider won't create it for you.