Hey,
I am running vault and using OIDC as my auth method.
I also have a group with an alias of one of my user’s groups.
My problem is that anyone on my domain can access my vault using OIDC
and I want to make sure that only members belonging to the group with the alias can access the vault.
I tried solving it by changing the default policy to:
path "*" {
capabilities = ["deny"]
}
and creating a policy named admin that looks like this:
and applying the admin policy to my group with the alias.
But that way, when I try to login to vault using OIDC (who is a member of that group with the admin policy) the default policy denies the login.
Do you have any suggestions to the best solution for this problem?
There are two things happening here : authentication and authorization. Vault allows you to log in if you succeed the authentication step. You will see nothing other than the cubby hole (in the UI). I don’t know how you could change that.