Hi,
I’ve configured an OIDC auth method to vault using Azure AD, I can successfully authenticate as users granted access to the app registration. I now need to assign users Vault roles based on if they are a member of an Azure AD group.
I was wondering if anybody was able to expand upon this statement in the docs:
Finally Azure AD group can be referenced by using the groups objectId as the group alias name for the external group.
(source: https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html#azure-active-directory-aad-)
My role configuration to allow access to a “green” kv engine looks like this:
vault write auth/oidc/role/green
bound_audiences=“Azure AD Client ID”
allowed_redirect_uris=“https://mydomain:8200/ui/vault/auth/oidc/oidc/callback”
allowed_redirect_uris=“http://localhost:8250/oidc/callback”
oidc_scopes=“https://graph.microsoft.com/.default”
user_claim=“email”
groups_claim=“groups”
policies=“green”
I need to create a “green” azure AD group and reference that somehow, but I’m not sure how from the available documentation.