Overview
This guide will show you how to create a JWT Authentication Method, and how to configure env zero to utilize OIDC to authenticate to your vault cluster to retrieve secrets. Refer to env zero’s OIDC configuration.This guide configures a v2 OIDC credential (the recommended format), where the token audience is
api://env0-vault. See Token versions for background. If you already authenticate to Vault with a v1 credential (the role’s bound_audiences set to https://prod.env0.com), see Migrating an existing v1 credential below.JWT Authentication Method
- Login to your vault cluster
- In the side navigation bar click on
Access - Choose
Authentication Methodsin the left side menu - Click on the
Enable new methodbutton and it will open the Authentication method creation wizard - Choose
JWT - Expand
Method Optionsadd a description and the relevant configuration and click on theEnabled Methodbutton - In the
Configure JWTpage under theJwks urlenterhttps://login.app.env0.com/.well-known/jwks.json - Expand
JWT Optionsand set theBound issuerto behttps://login.app.env0.com/ - Click on the
Savebutton

Setup Secrets Store and Create Policy
Create a KV store in vault to save and fetch secrets.Create Login Role
To create the role that binds the policy,sub, aud and env0 custom claims we will use the vault CLI. Make sure you have it installed on your machine and that you have access to vault. Export the following environment variables:
VAULT_TOKEN environment variable to authenticate but if you prefer, you can skip it and use vault login instead.
Now execute the following command to create the role:
More ClaimsIn this example we only set the
aud, the organizationId and the apiKeyType claims, however you can also set any additional claims you would like from the list of claims we support. The list is located hereAuthenticating to Vault with env zero Credential
Go to the organization’s credentials page and create a new deployment credential. SelectVault OIDC type and enter the following fields:
Address- The vault address, including portVersion- The vault version to useRole Name- Vault role nameJWT Auth Backend Path- Path to the new authentication methodNamespace- Optional, the vault namespace- Use v2 OIDC token - check this box so env zero mints a token with the
api://env0-vaultaudience set in the role’sbound_audiencesabove. The form shows the resultingAudience (aud)value. Leaving it unchecked produces a v1 token (aud: https://prod.env0.com), which the role will reject unless that audience is also bound.

Authenticating to Vault with Terraform Provider
To configure the vault terraform provider all you need is the vault provider block and theVAULT OIDC deployment credentials set on the project. Example:
VAULT OIDC deployment credentials are used to authenticate with the vault server along with the ENV0_OIDC_TOKEN JWT token which then sets the VAULT_TOKEN variable with the actual session token that is returned from the vault server used for authentication/authorization.
Migrating an existing v1 credential
If you already authenticate to Vault with a v1 env zero OIDC credential, your JWT role’sbound_audiences is ["https://prod.env0.com"]. Because bound_audiences is a list, you can bind the v2 audience alongside the old one and migrate without downtime:
- Add the v2 audience to the role. Update the role to bind both audiences, keeping the old one for now:
- Enable v2 on the credential. Edit the Vault OIDC credential in env zero and check Use v2 OIDC token. The next deployment mints a token with
aud: api://env0-vault. - Remove the old audience once migration is complete. After confirming v2 deployments authenticate successfully, you can drop
https://prod.env0.comfrombound_audiencesso the role accepts only the provider-specific audience.
Next steps
- Retrieve OIDC Subject Identifier - Find the subject identifier for your OIDC token.
- OIDC for AWS - Set up OIDC for AWS cloud authentication.
- OIDC for Azure - Set up OIDC for Azure cloud authentication.