Unable to get user/group list when integrated with Okta

Vault
1

Hey Guys,
I am using Hashicorp Vault version v1.0.2. We have an integration with Okta. I want to view the existing Okta users and group but I am not able to see.
I have already tried these HTTP calls
curl --header “X-Vault-Token: abc” https://vault-domain:8200/v1/auth/okta/users
This user call doesn’t work

curl --header “X-Vault-Token: abc” https://vault-domain:8200/v1/auth/okta/config
This config call works

In GUI, there is access tab but no groups information.

The terraform file looks like this
resource “A” “B” {
path = “okta”
group_name = “grp”
policies = [“pol1”, “pol2”]
}
But I am not able to check this configuration from the vault box and GUI.
Can anyone assist me to add new okta group to a policy without breaking anything as vault overwrites the files

2

You will need to use --request LIST in your API call. Same goes for listing groups. See: Okta - Auth Methods - HTTP API | Vault | HashiCorp Developer and Okta - Auth Methods - HTTP API | Vault | HashiCorp Developer

To add a policy to a group, the API call will look like this:

       curl \
       --header "X-Vault-Token: abc" \
       --request POST \
       --data '{ "policies": ["pol1", "pol2"] }' \
       https://vault-domain:8200/v1/auth/okta/groups/grp

ref: Okta - Auth Methods - HTTP API | Vault | HashiCorp Developer

3

Yes, I already tried LIST operations as well.
$ curl --header “X-Vault-Token: abc” --request LIST https://vault:8200/v1/auth/okta/users
It doesn’t work.

I tried from command line as well-
vault read auth/okta/users/ but it didn’t work as well.

I tried list with this too
vault list auth/okta/
No value found at auth/okta/

vault list auth/okta/users/
No value found at auth/okta/users/

If I have to see the complete configuration that was created for vault-okta configuration then is there any way to see it ?

4

To see the complete configuration, vault read auth/okta/config. I suspect it might not be configured? The configuration steps at https://www.vaultproject.io/docs/auth/okta#configuration are working for me using Vault 1.4.0. I also tested with 0.11.0, this version works too. What Vault version are you working with? Here is my setup:

vault auth enable okta

### reader and admin policies
vault policy write admin -<<EOF
path "*" {
    capabilities = ["create", "update", "delete", "read", "list", "sudo"]
}
EOF

vault policy write reader -<<EOF
path "/secret/*" {
    capabilities = ["read", "list"]
}
EOF

vault write auth/okta/config \
    base_url="okta.com" \
    organization="dev-XXXXXX" \
    api_token="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" \
    bypass_okta_mfa="true"

# create groups, map to policies
vault write auth/okta/groups/auditors policies=reader
vault write auth/okta/groups/admins policies=admin

# list groups
vault list auth/okta/groups

# create users, map to groups
vault write auth/okta/users/admin1 groups=admin
vault write auth/okta/users/auditor1 groups=reader

# list users
vault list auth/okta/users

# display Okta config
vault read auth/okta/config
5

Thanks for replying.
Okta is already working and configured properly. Here is the the output
Key Value

base_url okta.com
bypass_okta_mfa true
max_ttl 0s
org_name Org
organization Org
ttl 0s

The issue is that whatever “vault write auth/okta/groups/scientists policies=nuclear-reactor” command configures in the system, There is no way to see that from GUI, HTTP API and CLI.
Only few commands work like config, policy. I can update the policy but cannot see the okta group mapping with the policy.
Okta group mapping with policy has already been configured previously.
My use case is to add another Okta group with the new policy that I created but I am not able to see the previously configured data.
I want to see the output like -

vault list auth/okta/groups/policy // Which can tell me that which Okta group is associated with which policy.
I can see the groups and policy separately but no mapping.

6

The only way to check groups/policies is correlation:

$ vault read auth/okta/users/admin1
Key         Value
---         -----
groups      [admin]
policies    []
$ vault read auth/okta/groups/admins
Key         Value
---         -----
policies    [admin]

Note that Vault displays the user’s policy “admin” as “groups” when reading the admin1 user. Not sure if that output is intentional for Vault.