OIDC - able to login but policy trouble

Vault
1

Hi all,

I succeeded to log in with oidc with a group thanks to bound_claims :slight_smile: .
This information is provided by my oauth authority with “supgroup” field.

Unfortunately, i have a problem with the policy :confused:

  • type: oidc
    path: oidc
    config:
    oidc_discovery_url: “https://my_idp.com”
    oidc_client_id: “titi”
    oidc_client_secret: “toto”
    default_role: admin
    roles:

    • name: admin
      role_type: oidc
      oidc_scopes: “openid supgroup”
      allowed_redirect_uris: “https://mycallback
      user_claim: sub
      bound_claims: {“supgroup”: [“my_supportgroup”]}
      policies: “policy-admin”
      ttl: 10m
      max_ttl: 60m
      num_uses: 3

    policies:

    • name: policy-admin
      rules: path “*” {capabilities = [“create”, “read”, “update”, “delete”, “list”, “sudo”]}

This is working fine, but when I am log, I get :
“You don’t have access to secret/. If you think you’ve reached this page in error, please contact your administrator.
Go back home .”

Do you have an idea please ?

version : 1.3.1

2

Hi there!

Your policy looks fine and should work.
Would it be possible for you to validate if the policy is active and attached to your current session?
Also make sure that token_policies(https://www.vaultproject.io/api-docs/auth/jwt/#inlinecode-token_policies-25) contains the name of your policy e.g. policy-admin.

Cheers,
Michel