I’m using keycloak as the authentication provider for vault and I want my keycloak users to have policies inside of vault without touching vault.
Let’s say I’ve created a policy named “user” in vault and a group named “user” in keycloak. Now I would create a new user and add him into the user group and I want him to have the user policy in vault when he logs into vault.
The oidc guide shows something similar except that one needs to create a role per group and use it for the login. But this would mean that every user needs to know his role to use it for the login or least that the application that performs the login would need to know which role needs to be used. I don’t want to specify it beforehand. The policies of the user should be known after the login based on the group (or the keycloak roles) inside of keycloak.