Hello community…!
In our use case is simple i want to authenticate the gsuite user which is in google wokspace group are able to login to harshicorp vault using OIDC.
already set oauth constraint here is OIDC configuration
vault write auth/oidc/config -<<EOF
{
“oidc_discovery_url”: “https://accounts.google.com”,
“oidc_client_id”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com”,
“oidc_client_secret”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“default_role”: “testrole1”,
“provider_config”: {
“provider”: “gsuite”,
“gsuite_service_account”: “/home/vault/sa.json”,
“gsuite_admin_impersonate”: “user@xyz.com”,
“fetch_groups”: true,
“groups_recurse_max_depth”: 5,
“domain”: “vault.xyz.net”
}
}
EOF
Here is default-role configuration:
vault write auth/oidc/role/testrole1 user_claim=“sub” bound_audiences=“xxxxxxxxxxxxxxxxx.apps.googleusercontent.com” allowed_redirect_uris=“https://xyz.com/ui/vault/auth/oidc/oidc/callback” policies=“p1” ttl=“1m”
Here is role configuration with payload.json:
{
“user_claim”: “sub”,
“bound_audiences”: “xxxxxxxxxxxxxx.apps.googleusercontent.com”,
“allowed_redirect_uris”: “https://xyz.com/ui/vault/auth/oidc/oidc/callback”,
“policies”: “read_only”,
“ttl”: “1m”,
“groups_claim”: “groups”,
“oidc_scopes”: “email”,
“user_claim”: “email”,
“bound_claims”: {
“groups”: [“oidc-1@xyz.com”]
}
}
then i hit vault write auth/oidc/role/read1 @payload.json to create another role
- default role is having vault policy “p1” had capabilities all capabilities [“read”, “update”,“delete”, list]
2.read1 role is having vault policy “p1” had capabilities all capabilities [“read”]
can anyone please help here
Vault Community Jobs testing #help