Group policies is not applied while logging using OIDC

Hi , I just enabled the OIDC authentication using google. I set up the vault auth using following command

vault write auth/oidc/config -<<EOF
    "oidc_discovery_url": "",
    "oidc_client_id": "",
    "oidc_client_secret": "xxxxxxxxxxxxxx",
    "default_role": "noaccess",
    "provider_config": {
        "provider": "gsuite",
        "gsuite_service_account": "/var/vault/sa.json",
        "gsuite_admin_impersonate": "",
        "fetch_groups": true,
        "fetch_user_info": true,
        "groups_recurse_max_depth": 5

vault write auth/oidc/role/noaccess \
    allowed_redirect_uris="" \
    allowed_redirect_uris="http://localhost:8250/oidc/callback" \
    user_claim="sub" \
    policies="no-access" \
    groups_claim="groups" \

vault write identity/group name="group1@xxxxxx" type="external" \
        policies="reader" \

export GROUP_ID="xxxxxxxxxxx"

vault auth list -format=json | jq -r '."oidc/".accessor' > accessor.txt

vault write identity/group-alias name="group1@xxxxx" \
        mount_accessor=$(cat accessor.txt) \

I tried to login to the vault but the policies applied to the group is incorrect. it’s using the default policies given to oidc configuration.

Am i missing something here ?


If I’m understanding correctly, you want only the “no-access” policy to be assigned by default. However, when someone logs in they’re getting the “default” policy along with the “no-access” policy.

Note that I’m making an assumption here. You can provide the output of vault token lookup to provide some additional context for troubleshooting.

If my assumption is accurate, then in your role configuration you may need to add
token_no_default_policy = true to prevent the “default” policy from being applied.