Panfactum LogoPanfactum
Infrastructure ModulesDirect ModulesAuthentikauthentik_vault_sso
authentik_vault_sso
Stable
Direct
Source Code Link

AWS SSO with Authentik

Providers

The following providers are needed by this module:

  • authentik (2024.2.0)

  • kubectl (2.0.4)

  • kubernetes (2.27.0)

  • pf (0.0.3)

  • random (3.6.0)

  • tls (4.0.5)

Required Inputs

The following input variables are required:

authentik_domain

Description: The domain name of the authentik instance

Type: string

authentik_namespace

Description: The kubernetes namespace where Authentik is deployed

Type: string

media_configmap

Description: The configmap holding the static media that Authentik will use

Type: string

organization_name

Description: The name of your organization

Type: string

vault_domain

Description: The domain name of the Vault instance

Type: string

vault_name

Description: The name of the vault instance. Must be unique in the Authentik system.

Type: string

Optional Inputs

The following input variables are optional (have default values):

allowed_groups

Description: Only members of these groups can access AWS

Type: set(string)

Default: []

ui_description

Description: The description to display in the Authentik web dashboard

Type: string

Default: "A Hashicorp Vault cluster"

ui_group

Description: The section in the Authentik web dashboard that this will appear in

Type: string

Default: "Vault"

Outputs

The following outputs are exported:

client_id

Description: The client ID to provide to the auth/oidc auth method in Vault

client_secret

Description: The client secret to provide the auth/oidc auth method in Vault

oidc_discovery_url

Description: The OIDC discovery url to use for the auth/oidc auth method in Vault

oidc_issuer

Description: The issuer to use for the auth/oidc auth method in Vault

oidc_redirect_uris

Description: The redirect URIs to use for the auth/oidc auth method in Vault

Usage

  1. You have to enable AWS SSO in the root account via the web console before applying this module for the first time.

  2. The SAML metadata document from the IdP needs to be uploaded to AWS MANUALLY.

  3. SCIM provisioning must be configured MANUALLY. Group assignments won't work until this step is completed.

  4. The user portal URL needs to be configured MANUALLY in the aws web console in the SSO settings.