How to Create an OIDC Issuer

Retrieve the external identity provider's JWKS. Replace IDP-JWKS-URL with the provider's JWKS endpoint (e.g., https://dev-123456.okta.com/oauth2/default/v1/keys).

$ curl "IDP-JWKS-URL"

Note the kid, n, and e values from the first RSA key in the response.

Send a POST request to the Create OIDC Issuer endpoint. Replace IDP-ISSUER-URI with the provider's issuer URL, and IDP-KID, IDP-N-VALUE, IDP-E-VALUE with the JWK values from the previous step.

$ curl "https://api.vultr.com/v2/oidc/issuer" \
    -X POST \
    -H "Authorization: Bearer ${VULTR_API_KEY}" \
    -H "Content-Type: application/json" \
    -d '{
        "issuer": {
            "source": "external",
            "uri": "IDP-ISSUER-URI",
            "kid": "IDP-KID",
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "n": "IDP-N-VALUE",
            "e": "IDP-E-VALUE"
        }
    }'

The source field accepts external for third-party identity providers. Note the id for use in role trust configurations.

Retrieve the signing key values from your identity provider's JWKS endpoint. Replace IDP-JWKS-URL with the provider's JWKS endpoint.

$ curl "IDP-JWKS-URL"

From the key with "use": "sig" and "alg": "RS256", note the kid, kty, alg, use, n, and e values.

Ensure the Vultr Terraform provider is configured in your Terraform project.

Define the OIDC issuer resource. Replace each placeholder with the corresponding value from the JWKS response.

resource "vultr_oidc_issuer" "my_issuer" {
  source = "external"
  uri    = "IDP-ISSUER-URI"
  kid    = "IDP-KID"
  kty    = "RSA"
  alg    = "RS256"
  use    = "sig"
  n      = "IDP-N-VALUE"
  e      = "IDP-E-VALUE"
}

Apply the configuration.

$ terraform apply

Verify that the output shows vultr_oidc_issuer.my_issuer: Creation complete. Note the issuer id from the Terraform state for use in role trust configurations.