AWS SSO with Authentik
Providers
The following providers are needed by this module:
Required Inputs
The following input variables are required:
authentik_domain
Description: The domain name of the authentik instance
Type: string
authentik_namespace
Description: The kubernetes namespace where Authentik is deployed
Type: string
media_configmap
Description: The configmap holding the static media that Authentik will use
Type: string
organization_name
Description: The name of your organization
Type: string
vault_domain
Description: The domain name of the Vault instance
Type: string
vault_name
Description: The name of the vault instance. Must be unique in the Authentik system.
Type: string
Optional Inputs
The following input variables are optional (have default values):
allowed_groups
Description: Only members of these groups can access AWS
Type: set(string)
Default: []
ui_description
Description: The description to display in the Authentik web dashboard
Type: string
Default: "A Hashicorp Vault cluster"
ui_group
Description: The section in the Authentik web dashboard that this will appear in
Type: string
Default: "Vault"
Outputs
The following outputs are exported:
client_id
Description: The client ID to provide to the auth/oidc auth method in Vault
client_secret
Description: The client secret to provide the auth/oidc auth method in Vault
oidc_discovery_url
Description: The OIDC discovery url to use for the auth/oidc auth method in Vault
oidc_issuer
Description: The issuer to use for the auth/oidc auth method in Vault
oidc_redirect_uris
Description: The redirect URIs to use for the auth/oidc auth method in Vault
Usage
You have to enable AWS SSO in the root account via the web console before applying this module for the first time.
The SAML metadata document from the IdP needs to be uploaded to AWS MANUALLY.
SCIM provisioning must be configured MANUALLY. Group assignments won’t work until this step is completed.
The user portal URL needs to be configured MANUALLY in the aws web console in the SSO settings.