» vault_identity_oidc_role

Creates an Identity OIDC Role for Vault Identity secrets engine to issue identity tokens.

The Identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault.

Use this with vault_identity_oidc_key and vault_identity_oidc_key_allowed_client_id to configure a Role to generate Identity Tokens.

» Example Usage

You need to create a role with a named key. At creation time, the key can be created independently of the role. However, the key must exist before the role can be used to issue tokens. You must also configure the key with the role's Client ID to allow the role to use the key.

variable "key" {
  description = "Name of the OIDC Key"
  default     = "key"

resource "vault_identity_oidc_key" "key" {
  name      = var.key
  algorithm = "RS256"

  allowed_client_ids = [

resource "vault_identity_oidc_role" "role" {
  name = "role"
  key  = var.key

If you want to create the key first before creating the role, you can use a separate resource to configure the allowed Client ID on the key.

resource "vault_identity_oidc_key" "key" {
  name      = "key"
  algorithm = "RS256"

resource "vault_identity_oidc_role" "role" {
  name = "role"
  key  = vault_identity_oidc_key.key.name

resource "vault_identity_oidc_key_allowed_client_id" "role" {
  key_name          = vault_identity_oidc_key.key.name
  allowed_client_id = vault_identity_oidc_role.role.client_id

» Argument Reference

The following arguments are supported:

  • name - (Required; Forces new resource) Name of the OIDC Role to create.

  • key - (Required; Forces new resource) A configured named key, the key must already exist before tokens can be issued.

  • template - (Optional) The template string to use for generating tokens. This may be in string-ified JSON or base64 format. See the documentation for the template format.

  • ttl - (Optional) TTL of the tokens generated against the role in number of seconds.

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The name of the created role.

  • client_id - The value that will be included in the aud field of all the OIDC identity tokens issued by this role

» Import

The key can be imported with the role name, for example:

$ terraform import vault_identity_oidc_role.role role