Hi , I just enabled the OIDC authentication using google. I set up the vault auth using following command
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "xxxxxxx.apps.googleusercontent.com",
"oidc_client_secret": "xxxxxxxxxxxxxx",
"default_role": "noaccess",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/var/vault/sa.json",
"gsuite_admin_impersonate": "xxxxxxxx@xxxxxx.com",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5
}
}
EOF
vault write auth/oidc/role/noaccess \
allowed_redirect_uris="https://xxxxxxxxxxx.com/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="sub" \
policies="no-access" \
groups_claim="groups" \
bound_audiences="xxxxxxxxxx.apps.googleusercontent.com"
vault write identity/group name="group1@xxxxxx" type="external" \
policies="reader" \
metadata=responsibility="reader"
export GROUP_ID="xxxxxxxxxxx"
vault auth list -format=json | jq -r '."oidc/".accessor' > accessor.txt
vault write identity/group-alias name="group1@xxxxx" \
mount_accessor=$(cat accessor.txt) \
canonical_id="$GROUP_ID"
I tried to login to the vault but the policies applied to the group is incorrect. it’s using the default policies given to oidc configuration.
Am i missing something here ?
Thanks