Azure AD auth: user & programmatic access

Vault
1

I have successfully deployed the vault with OIDC auth using Azure AD. Therefore I set the following config using terraform:

data "external" "env" {
  program = ["/app/env.sh"]
}
provider "vault" {
  address = "http://localhost:8200"
  token   = data.external.env.result["VAULT_TOKEN"]
}


resource "vault_jwt_auth_backend" "oidc" {
  type               = "oidc"
  path               = "oidc"
  oidc_discovery_url = format("https://login.microsoftonline.com/%s/v2.0", data.external.env.result["AZURE_TENANT_ID"])
  oidc_client_id     = data.external.env.result["AZURE_CLIENT_ID"]
  oidc_client_secret = data.external.env.result["AZURE_CLIENT_SECRET"]
  bound_issuer = "https://login.microsoftonline.com"
  default_role = "oidc"

  lifecycle {
    prevent_destroy = false
  }
}

resource "vault_jwt_auth_backend_role" "oidc_user" {
  backend         = vault_jwt_auth_backend.oidc.path
  role_name       = "oidc"
  token_policies  = ["default", "nx-dev"]
  bound_audiences = [data.external.env.result["AZURE_CLIENT_ID"]]

  user_claim            = "oid"
  role_type             = "oidc"
  allowed_redirect_uris = ["http://localhost:8250/oidc/callback", 
                            "http://localhost:8200/ui/vault/auth/oidc/oidc/callback"
                            ]
  # groups_claim          = "roles"
  oidc_scopes           = ["https://graph.microsoft.com/.default", "profile", "email"]

  verbose_oidc_logging = true
}

Having access to the Web UI, now I also want to access the vault from a Python script. I already have the generation of an AccessToken using msal.ConfidentialClientApplication and acquire_token_for_client(). However, I fail to use this token to access the secrets in the vault…

I enabled jwt logon with a jwt role as follows:

resource "vault_jwt_auth_backend" "jwt" {
  type               = "jwt"
  path               = "jwt"
  oidc_discovery_url = format("https://login.microsoftonline.com/%s/v2.0", data.external.env.result["AZURE_TENANT_ID"])
  oidc_client_id     = data.external.env.result["AZURE_CLIENT_ID"]
  oidc_client_secret = data.external.env.result["AZURE_CLIENT_SECRET"]
  bound_issuer = format("https://login.microsoftonline.com/%s/v2.0", data.external.env.result["AZURE_TENANT_ID"])
  default_role = "jwt"

  lifecycle {
    prevent_destroy = false
  }
}

resource "vault_jwt_auth_backend_role" "oidc_application" {
  backend         = vault_jwt_auth_backend.jwt.path
  role_name       = "jwt"
  token_policies  = ["default", "nx-dev"]
  bound_audiences = [data.external.env.result["AZURE_CLIENT_ID"]]

  user_claim            = "oid"
  role_type             = "jwt"
  # groups_claim          = "roles"
  oidc_scopes           = ["https://graph.microsoft.com/.default", "profile", "email"]

  verbose_oidc_logging = true
}

The python script below produces error: “error configuring token validator: unsupported config type”

client = hvac.Client(
    url=VAULT_SERVER, 
    verify=False
    )

auth_oidc: OIDC = client.auth.oidc
auth_result = auth_oidc.jwt_login(
    role='jwt',
    jwt=access_token, 
    path='jwt'
)

How can I fix this ? Thanks in advance !