Auth method default role precedence

Hi All,

We have enabled OIDC auth method and configured the same with an auth role (example: reader) where a policy is also applied. OIDC auth method works perfectly fine.
An identity policy is applied on a group of people who are loggig into vault via OIDC. But the policy in the OIDC auth role always takes precendence over the identity policy.
For example: identity policy says full rights over identity/group but the policy in the auth role allows only read and list rights on the path identity/group. Here the resultant rights are just read and list. Is there any option to prioritize identity policy
Vault Ver: 1.8.4

Without knowing what’s in your policy it’s a bit hard to say.

But in general, more specific paths in policies win.
Details can be found in the Policy Syntax section of the Policy overview.

If you provide some sample policies you’re dealing with we may be able to offer more specific advice.

follwing content in the identity policy.
Path = “identity/group/*” {
capabilities = [“create”, “update”, “read”, “list”, “delete”]
}

auth role policy is as below.

path = “identity/*” {
capabilities = [“read”, “list”]
}

In my case auth tole policy always wins.

You might need to add a second path in your identity policy.

When creating a group it needs to be on the identity/group endpoint and your current policy grants rights to everything after that.

path = "identity/group" {
  capabilities = ["create", "update"]
}

path = "identity/group/*" {
  capabilities = ["create", "update", "read", "list", "delete"]
}
1 Like

Thanks a lot. How on earth did I miss it. It really helped.
I modified the policy as below and it worked.
path = “identity/*” {
capabilities = [“create”, “update”, “read”, “list”, “delete”]
}