KodeKloud Notes

In this tutorial, you’ll configure HashiCorp Vault to authenticate users through Okta. You will:

Create an Okta API token
Enable and verify the Okta auth method in Vault
Configure Vault with your Okta organization details
Map Okta users (and groups) to Vault policies
Sign in to Vault via Okta (CLI and UI)

By the end, Vault will trust Okta as an identity provider, enforcing your Vault policies based on Okta users and groups.

1. Create an Okta API Token

Log in to the Okta Admin Console.
Go to Security → API → Tokens.
Click Create Token, give it a descriptive name (for example, Vault-Integration), and copy the generated token.

The image shows a web interface for creating an API token on Okta, with a pop-up message confirming the token creation and displaying the token value.

Warning

Treat your Okta API token like a password. Store it securely (for example, in Vault’s Cubbyhole or an environment variable).

2. Enable the Okta Auth Method in Vault

On your Vault server (shown here running in dev mode), enable the Okta auth backend:

vault auth enable okta
vault auth list

Path	Type	Description
okta/	okta	Okta authentication
token/	token	Built-in token provider

Sample output:

Path    Type   Accessor
----    ----   --------
okta/   okta   auth_okta_90844582
token/  token  auth_token_0ba527c3

3. Configure the Okta Auth Method

Provide Vault with your Okta base URL, organization name, and the API token you created:

vault write auth/okta/config \
  base_url="okta.com" \
  org_name="your-org-name" \
  api_token="00SkFU6jMj8HkcuH03AUs6zdiGzQFTOBebVbbP9K"

Verify the settings:

vault read auth/okta/config

Expected response:

Key                     Value
---                     -----
base_url                okta.com
org_name                your-org-name
organization            your-org-name
bypass_okta_mfa         false
token_policies          []
...

Note

If your organization requires multi-factor authentication, set bypass_okta_mfa to false (default) to enforce it.

4. Map an Okta User to a Vault Policy

Assign an Okta user (for example, [email protected]) to a Vault policy (e.g., bryan):

vault write auth/okta/users/[email protected] policies=bryan

Output:

Success! Data written to: auth/okta/users/[email protected]

Resource Type	Example Command
Map User	`vault write auth/okta/users/[email protected] policies=developer`
Map Group	`vault write auth/okta/groups/engineering policies=eng-team`

CLI Authentication

vault login -method=okta username="[email protected]"

You will be prompted for your Okta password and any additional MFA factors.

UI Authentication

Open the Vault UI and select Okta as the login method.
Enter your Okta username and password, then click Sign in.

The image shows a login page for "Vault" with fields for method, username, and password, and a "Sign in" button. The method selected is "Okta."

After signing in, view mapped users under Access → Okta → Users. You can also add or edit users:

The image shows a user interface for creating a new user in a system, with fields for name, groups, and policies, and options to save or cancel.

To map Okta groups in Vault, navigate to Access → Okta → Groups, specify the group name and Vault policies, then save:

The image shows a web interface for creating a group in a Vault application, with fields for entering a name and policies, and options to save or cancel. A pop-up warning about unsaved changes is also visible.

With these steps complete, Vault is now integrated with Okta for user and group authentication. Policies defined in Vault will be enforced based on your Okta identities.

Links and References

Watch Video

Watch video content