Vault OIDC auth method with external groups

I want to use Vault to issue temporary credentials for database access. I have set up vault with oidc auth against azure active directory. Authentication itself is working fine.
Now I would like to have few external groups connected to AD groups to control which person in AD can assume which role in Vault.

OIDC role:
vault write auth/oidc/role/example-ro user_claim=“email” allowed_redirect_uris=“http://localhost:8250/oidc/callback” allowed_redirect_uris=“https://vault./ui/vault/auth/oidc/oidc/callback” groups_claim=“groups” policies=“example-ro” oidc_scopes=“

external group:
vault write -field=id -format=table identity/group name=“example-ro” type=“external” policies=“example-ro”

database role:
vault write database/roles/example-ro db_name=database creation_statements=“CREATE USER ‘{{name}}’@’%’ IDENTIFIED BY ‘{{password}}’;GRANT SELECT ON example.* TO ‘{{name}}’@’%’;GRANT SELECT ON example2.* TO ‘{{name}}’@’%’;GRANT SELECT ON example_archive.* TO ‘{{name}}’@’%’;” default_ttl=“1h” max_ttl=“24h” username_template="{{.DisplayName | replace “oidc-” “” | replace “.” “” | truncate 10 }}{{ random 4 }}{{ timestamp “02”}}"

vault policy:

path “database/creds/example-ro” {
capabilities = [“read”]

vault policy write example-ro example-ro-policy.hcl


I can login fine and assume example-ro role even I am not member of example-ro group in AD. I can login even when the group is not defined in AD at all.


I expect to see some kind of permission error, when I try to login via oidc and try to assume role connected to nonexisting group or

Hi @hyzza,

Looks like you may be overlapping a couple different ways of assigning policies.

You’ve got a two basic options:

  • Assign policies from the OIDC role itself, in which case you’ll need to specify the bound_claims parameter. Using this method the Identity Groups portion is not required.
  • Change your example-ro OIDC role to a “default” role and remove the policies parameter. Then create an Identity Group Alias for your Identity Group. The alias name should be the unique ID within Azure of the group (UUID format). You should also specify the default role name in the mount config to improve login experience (one-click login as opposed to having to type in a role name).

Of course you can mix and match if you need more flexible policy assignment options (i.e. a particular policy can be assigned to the role with bound_claims defined and an optional Identity Group based policy may be assigned when a different attribute is matched). However, if you’re just getting started I’d stick with either of the two methods above and move to this once you’ve got that sorted out.

1 Like

thanks! bound_claims is the way to go.