I am trying to login to Vault login using OIDC. I try in production server.
When trying to login via CLI, the role can be specified arbitrarily by the end user as follows.
‘’’
vault login -method=oidc role=“reader”
‘’’
In this case, as long as the user knows the role name, he/she can access information using a role that is assigned a policy with higher privileges than his/her own.
Is it possible to disable the option “role” in the above login command with OIDC?
Note that a similar question was asked in the past but no clear solution was provided.
You can set default role in oidc configuration and you can let the role textbox empty.
If you want limit who can use which role, you must configure bound_audience in your role. Each key in the array must match keys in the OIDC token. For example, you can use “aud” or “sub”.