I’m using keycloak as the authentication provider for vault and I want my keycloak users to have policies inside of vault without touching vault.
Example:
Let’s say I’ve created a policy named “user” in vault and a group named “user” in keycloak. Now I would create a new user and add him into the user group and I want him to have the user policy in vault when he logs into vault.
The oidc guide shows something similar except that one needs to create a role per group and use it for the login. But this would mean that every user needs to know his role to use it for the login or least that the application that performs the login would need to know which role needs to be used. I don’t want to specify it beforehand. The policies of the user should be known after the login based on the group (or the keycloak roles) inside of keycloak.
Please, excuse me if I did not get your question right, but the way I understand is how to assign policies to users in OIDC without the users providing a specific role while logging in, correct?
The way i would setup this is by specifying default_role when configuring OIDC auth method. My config looks like :
So every time the user logs in using OIDC, default_role is picked, you have to define the OIDC role named default_role_in_vault in Vault and its group claims should be used to determine the group membership.
@r.souza It is usually more effective to start a new topic in which you completely describe the issue that you yourself are having, rather than adding on to a long ago existing topic.