Skip to main content

Hashicorp Vault

Support level: authentik

What is Vault



Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.


This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See for a more in depth vault guide


The following placeholders will be used:

  • is the FQDN of authentik.
  • is the FQDN of Vault.

Step 1

In authentik, create an OAuth2/OpenID Provider (under Resources/Providers) with these settings:


Only settings that have been modified from default have been listed.

Protocol Settings

  • Name: Vault

  • Signing Key: Select any available key

  • Redirect URIs/Origins:

Take note of the Client ID and Client Secret, you'll need to give them to Vault in Step 3.

Step 2

In authentik, create an application (under Resources/Applications) which uses this provider. Optionally apply access restrictions to the application using policy bindings.


Only settings that have been modified from default have been listed.

  • Name: Vault
  • Slug: vault-slug
  • Provider: Vault

Step 3

Enable the oidc auth method vault auth enable oidc

Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider

vault write auth/oidc/config \
oidc_discovery_url="" \
oidc_client_id="Client ID" \
oidc_client_secret="Client Secret" \

Create the reader role

vault write auth/oidc/role/reader \
bound_audiences="Client ID" \
allowed_redirect_uris="" \
allowed_redirect_uris="" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="sub" \

You should then be able to sign in via OIDC vault login -method=oidc role="reader"