Failing to create a policy using JWT claims

I am trying to setup vault so that it uses OIDC jwt authentication in order to login to vault so that the JWT gets validated and returns a vault token that allow the client to decrypt one specific key linked to the jwt claims but I am failing to get it working.

I have setup a vault auth using OIDC jwt like this

vault auth enable jwt
vault write auth/jwt/config oidc_discovery_url=""

I would like to created a policy that would allow a tenant to decrypt only it’s tenant keyring.
here it is

vault policy write tenant-only-read -<<EOF
path "tenants-keyrings/decrypt/{{identity.entity.aliases.auth_jwt_b6c97ee6.metadata.tenantId}}"
  capabilities = ["update"]

notice the jwt accessor used in the mapping that is referencing the jwt auth above.

I have created a role for a given tenant

vault write auth/jwt/role/tenant-4fd42609-25ac-45B2-b21e-d2c57a59d714 -<<EOF
  "role_type": "jwt",
  "user_claim": "tenant_id", 
  "policies": ["tenant-only-read"],
  "bound_claims": {
    "tenant_id": "4fd42609-25ac-45b2-b21e-d2c57a59d714"
  "claim_mappings": {
    "tenant_id": "tenantId"

and notice the claim_mapping to keep the tenant id in the entity alias metadata.
I manage to login to vault with success which it great cause is means the jwt is valid,
but when I try to decrypt value for this tenant (using the newly provided vault token) I get a permission denied

vault write tenants-keyrings/decrypt/4fd42609-25ac-45B2-b21e-d2c57a59d714 ciphertext=vault:v1:xrSHgI23JEshy09bFLZnlc+Yde+DI7MwUu7Xu5wYpfWy9co=
Error writing data to tenants-keyrings/decrypt/4fd42609-25ac-45B2-b21e-d2c57a59d714: Error making API request.

URL: PUT http://localhost:8200/v1/tenants-keyrings/decrypt/4fd42609-25ac-45B2-b21e-d2c57a59d714
Code: 403. Errors:

* 1 error occurred:
	* permission denied

When I look at the entity associated with my vault token I get this

vault read -format=json identity/entity/id/50070227-48c2-2365-eccd-80d4d6227d93
  "request_id": "ffa760e7-0fad-66f0-53fa-31eb77373f6b",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "aliases": [
        "canonical_id": "50070227-48c2-2365-eccd-80d4d6227d93",
        "creation_time": "2021-12-04T19:16:49.173785374Z",
        "custom_metadata": null,
        "id": "18e3d9c9-9168-0113-d6c0-26123a031760",
        "last_update_time": "2021-12-04T19:16:49.173785374Z",
        "local": false,
        "merged_from_canonical_ids": null,
        "metadata": {
          "tenantId": "4fd42609-25ac-45b2-b21e-d2c57a59d714"
        "mount_accessor": "auth_jwt_b6c97ee6",
        "mount_path": "auth/jwt/",
        "mount_type": "jwt",
        "name": "4fd42609-25ac-45b2-b21e-d2c57a59d714"
    "creation_time": "2021-12-04T19:16:49.173773074Z",
    "direct_group_ids": [],
    "disabled": false,
    "group_ids": [],
    "id": "50070227-48c2-2365-eccd-80d4d6227d93",
    "inherited_group_ids": [],
    "last_update_time": "2021-12-04T19:16:49.173773074Z",
    "merged_entity_ids": null,
    "metadata": null,
    "name": "entity_a6a593f2",
    "namespace_id": "root",
    "policies": []
  "warnings": null

This seem to look fine to me as the identity.entity.aliases.auth_jwt_b6c97ee6.metadata.tenantId is equals to “4fd42609-25ac-45b2-b21e-d2c57a59d714” which is the required key but it not working.

Any help would be much appriciated.


PS: I have also tried to use the {{}} instead but it is also failing.
PSS: replacing the {{template}} with a * works perfectly (path “tenants-keyrings/decrypt/*”)

I have found my mistake :frowning:
4fd42609-25ac-45B2-b21e-d2c57a59d714 != 4fd42609-25ac-45b2-b21e-d2c57a59d714

there is a B upper case and a b lowercase so both strings did not match.