I am trying to setup OIDC for our environment. I am at a point where I can login using OIDC, but the token that is created does not get the policies I want.
Here is how I setup OIDC:
$ vault policy write superuser superuser-policy.hcl $ vault write identity/group name=vault-admins policies=superuser $ vault auth enable oidc $ vault write auth/oidc/config oidc_discovery_url="REDACTED" oidc_client_id="REDACTED" oidc_client_secret="REDACTED" default_role=default $ vault write auth/oidc/role/default role_type=oidc allowed_redirect_uris="https://REDACTED/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback,http://localhost:8200/ui/vault/auth/oidc/oidc/callback" user_claim=email oidc_scopes=profile groups_claim=groups policies=default verbose_oidc_logging=true
I can login using OIDC, and I can see this in the log:
2022-05-23T20:36:42.635Z [DEBUG] identity: refreshing external group memberships: entity_id=56c042ac-44de-5ff2-7ee4-220e21d2cfb4 group_aliases=["mount_accessor:\"auth_oidc_dfa5a3ac\" name:\"vault-admins\""]
So it seems Vault can see that I am a member of the
vault-admins group. I would have expected the
superuser policy to be attached to the newly created token, but it is not:
$ vault token lookup REDACTED Key Value --- ----- accessor pkJCPcV7IdrvaYfVpNFe2108 creation_time 1653338202 creation_ttl 768h display_name REDACTED entity_id 56c042ac-44de-5ff2-7ee4-220e21d2cfb4 expire_time 2022-06-24T20:36:42.648476291Z explicit_max_ttl 0s id REDACTED issue_time 2022-05-23T20:36:42.648484951Z meta map[role:default] num_uses 0 orphan true path auth/oidc/oidc/callback policies [default] renewable true ttl 767h46m52s type service
What am I doing wrong?
Thanks a lot in advance for your help!