Hi, all
I have an organization that stores users in G Suite, and I want to authorize users to access secrets in Vault based on their Google groups.
I’m using Dex as an intermediate authorization layer—it has a Google connector configured, and my Vaults (I’ll have multiple instances) authenticate through Dex via OIDC.
Everything works fine until I need to start distributing Vault access policies based on Google groups.
The JWT token that Dex returns to Vault definitely contains a groups claim with a list of groups. However, Vault can’t read it, even though it’s just a standard array.
I know I could connect Vault directly to Google, but Google doesn’t return groups by default. It requires creating a service account that impersonates a role with read access to the Google account directory. Then I’d have to put those service account credentials in each Vault instance across all environments, which I’d prefer to avoid.
Here is a cleaned up sample of the token contents:
{
"iss": "",
"sub": "",
"aud": "",
"exp": ,
"iat": ,
"nonce": "",
"at_hash": "",
"c_hash": "",
"email": "user.name@domain.com",
"email_verified": true,
"groups": [
"aws-access@domain.com",
"aws-admin@domain.com",
"devops@domain.com",
"gcp-billing-admins@domain.com",
"gcp-organization-admins@domain.com",
"vault-access-dev@domain.com",
"vault-access-production@domain.com"
],
"name": "User Name"
}
And screenshot of the error I have during auth attempt
Doesn’t it looks like bug in Vault?