Keycloak >= 22 (24.0.1) Database password from Vault
342 views
Skip to first unread message
Ralf Folkerts
Mar 22, 2024, 2:52:05 AM3/22/24
to Keycloak User
Hi,
I've been trying to store the Keycloak Database Password in a vault for some time, but without any success :( I started with v23 and am currently at v24.0.1. The Documenation
https://www.keycloak.org/server/configuration#_setting_sensitive_options_using_a_java_keystore_file
mentions "kc.db-url=keystoreValue" - but in the Description of the resolution order below the Table the Keystore is not being mentioned. The Vault-Docs
https://www.keycloak.org/server/vault
only mentions three kinds of values, SMTP, LDAP, and OIDC to be stored in a Vault - all from Admin Console. However, I found some Comments in Github that also Mention the DB-Password.
I tried
echo "mydbpassword" | keytool -importpass -keystore conf/vault.p12 -storepass mystorepass -alias kc.db-password
and then put
vault=keystore
vault-file=conf/vault.p12
vault-pass=mystorepass
vault-type=pkcs12
in the keycloak.conf - without success. In the Debug-Log I see, that the Vault is being found and opened, but it does not seem to get the db-password from it. I did not configure the Resolver, so REALM_UNDERSCORE_KEY is being used.
I also tried to -importpass using the alias kc_db-password, but that didn't work either.
Am I doing something fundamentally wrong, or isn't it possible to store the DB-Password in a Vault?
Would be nice to get some certainty... Cheers,
_ralf_
I've been trying to store the Keycloak Database Password in a vault for some time, but without any success :( I started with v23 and am currently at v24.0.1. The Documenation
https://www.keycloak.org/server/configuration#_setting_sensitive_options_using_a_java_keystore_file
mentions "kc.db-url=keystoreValue" - but in the Description of the resolution order below the Table the Keystore is not being mentioned. The Vault-Docs
https://www.keycloak.org/server/vault
only mentions three kinds of values, SMTP, LDAP, and OIDC to be stored in a Vault - all from Admin Console. However, I found some Comments in Github that also Mention the DB-Password.
I tried
echo "mydbpassword" | keytool -importpass -keystore conf/vault.p12 -storepass mystorepass -alias kc.db-password
and then put
vault=keystore
vault-file=conf/vault.p12
vault-pass=mystorepass
vault-type=pkcs12
in the keycloak.conf - without success. In the Debug-Log I see, that the Vault is being found and opened, but it does not seem to get the db-password from it. I did not configure the Resolver, so REALM_UNDERSCORE_KEY is being used.
I also tried to -importpass using the alias kc_db-password, but that didn't work either.
Am I doing something fundamentally wrong, or isn't it possible to store the DB-Password in a Vault?
Would be nice to get some certainty... Cheers,
_ralf_
Reply all
Reply to author
Forward
0 new messages