AWS SSO with Authentik
Providers
The following providers are needed by this module:
-
authentik (2024.2.0)
-
kubernetes (2.27.0)
-
random (3.6.0)
-
tls (4.0.5)
Required Inputs
The following input variables are required:
authentik_domain
Description: The domain name of the authentik instance
Type: string
authentik_namespace
Description: The kubernetes namespace where Authentik is deployed
Type: string
media_configmap
Description: The configmap holding the static media that Authentik will use
Type: string
organization_name
Description: The name of your organization
Type: string
vault_domain
Description: The domain name of the Vault instance
Type: string
vault_name
Description: The name of the vault instance. Must be unique in the Authentik system.
Type: string
Optional Inputs
The following input variables are optional (have default values):
allowed_groups
Description: Only members of these groups can access AWS
Type: set(string)
Default: []
ui_description
Description: The description to display in the Authentik web dashboard
Type: string
Default: "A Hashicorp Vault cluster"
ui_group
Description: The section in the Authentik web dashboard that this will appear in
Type: string
Default: "Vault"
Outputs
The following outputs are exported:
client_id
Description: The client ID to provide to the auth/oidc auth method in Vault
client_secret
Description: The client secret to provide the auth/oidc auth method in Vault
oidc_discovery_url
Description: The OIDC discovery url to use for the auth/oidc auth method in Vault
oidc_issuer
Description: The issuer to use for the auth/oidc auth method in Vault
oidc_redirect_uris
Description: The redirect URIs to use for the auth/oidc auth method in Vault
Usage
-
You have to enable AWS SSO in the root account via the web console before applying this module for the first time.
-
The SAML metadata document from the IdP needs to be uploaded to AWS MANUALLY.
-
SCIM provisioning must be configured MANUALLY. Group assignments won't work until this step is completed.
-
The user portal URL needs to be configured MANUALLY in the aws web console in the SSO settings.