Azure AD - OIDC

In order to use Azure Active Directory (AAD) as an IdP to authenticate the Akeyless Vault via OIDC, you need to follow the below steps.

Create an application

  1. In your Azure account, go to App registrations > New registrations.
  1. For Redirect URI type select Web for Application type
    Set as a value and press Register.
  1. Once the app has been created, you need to obtain the Client ID, Client Secret, and the Issuer URL:
  • The Client Id can be fetched from Overview > Application (client) ID:
  • The Client Secret can be created under Certificates & secrets > New Client Secret:
1303 1600
  1. In order to add the AD group as a sub claim, go to Token configuration > Add Groups Claim:
  1. In order to bind the Azure application with your Akeyless Vault account, you need to create an OIDC Authentication Method using either CLI or UI, as described below.

Create OIDC Authentication Method - CLI

akeyless create-auth-method-oidc --name 'my Azure app' --issuer https://{your-issuer-url} --client-id {your-client-id}  --client-secret {your-client-secret} --unique-identifier {your-unique-identifier (e.g 'email' or 'username'')}

Login with OIDC - CLI

You should configure a new profile with your Access-ID from the previous step and OIDC type (if no profile name is provided the default will be configured):

akeyless configure --access-id <your access ID >  --access-type oidc --profile 'azure-app'

Now, you can run any Akeyless CLI command and be authenticated with the Azure application:

akeyless list-items --profile azure-app