Allow Authorized Google OIDC users only in Vault

I have created the Google OIDC auth method in my vault. I want to authorize allowed Gmail users to login into the vault and the rest should get unauthorized messages while login. I am trying to create an ACL for it but not finding an appropriate solution.
Thank You.

Have you found the Google-specific section in the documentation? OIDC Provider Setup - Auth Methods | Vault by HashiCorp. It’s pretty tricky and detailed to setup as with most things OIDC, but if you’ve set up Vault with an OAuth client ID and secret from Google, you should be able to limit what users can authorize with it by setting the user type to Internal in your Google settings: Setting up your OAuth consent screen - Google Cloud Platform Console Help.

In this instance, ACLs would determine what policies, and thus what actions users can take, once they are already logged in, so I don’t think they’re relevant to your particular question.

Hope that helps!

1 Like

I created internal groups and assigned policies based on entities. This helped me.
Also while creating oidc auth method, I didn’t pass any policy so that covered my secrets too. But I want to know a permanent solution i.e. What policy should I create to deny all the access even cubbyhole secret to oidc authenticated user which I didn’t allow.