Vault - OIDC Azure AD Integration | Restrict secret access based on Azure AD Groups

Environment :

• Version : 1.11.0
• Type : OSS
• Cluster : Openshift Container Platform

We are working on integrating our Vault Cluster with Azure AD using OIDC, for user authentication/authorization.

1. An Azure App Registration is created/configured using the following documentation :

• Quickstart: Register an app in the Microsoft identity platform - Microsoft Entra | Microsoft Docs
• Azure Active Directory with OIDC Auth Method and External Groups | Vault - HashiCorp Learn
• OIDC Provider Setup - Auth Methods - Azure Active Directory | Vault by HashiCorp

2. Following API permissions are provided to the App Registration :

• Group.Read.All
• GroupMember.Read.All
• User.Read
• User.Read.All

3. Two Azure AD groups of type Security are created and assigned to the App Registration :

• INFRA_ADMINS
• DEVS_P

4. OIDC Auth method is configured as follows :

• vault auth enable -default-lease-ttl=2m -path=oidc-aad oidc

• vault write auth/oidc-aad/config oidc_client_id=“APP_REGISTRATION_CLIENT_ID” oidc_client_secret=“APP_REGISTRATION_CLIENT_SECRET” oidc_discovery_url=“https://login.microsoftonline.com/d9f5343-cb22-0wew1c9-4956-b859-4f876f6a5534332c83/v2.0”

• Two Vault policies are created for each Team (Infra & Dev) :
  ** kv-infra
  ** kv-dev

• Two roles are created and mapped to each policy :
  ** vault write auth/oidc-aad/role/infra user_claim=“email” allowed_redirect_uris=“http://localhost:8250/oidc/callback” allowed_redirect_uris=“https://vaultURL/ui/vault/auth/oidc-aad/oidc/callback” groups_claim=“groups” policies=“kv-infra” oidc_scopes=“https://graph.microsoft.com/.default” ttl=2m
  ** vault write auth/oidc-aad/role/dev user_claim=“email” allowed_redirect_uris=“http://localhost:8250/oidc/callback” allowed_redirect_uris=“https://vaultURL/ui/vault/auth/oidc-aad/oidc/callback” groups_claim=“groups” policies=“kv-dev” oidc_scopes=“https://graph.microsoft.com/.default” ttl=2m

Additionally, two Vault external groups are created and mapped to the Azure AD groups :

• vault write -field=id -format=table identity/group name=INFRA_ADMINS" type=“external” policies=“kv-infra”

• vault write identity/group-alias name=“INFRA_ADMINS” mount_accessor=“auth_oidc_558cd787” canonical_id=“1f78aac7-0c59-105a-1d06-bba94a414a95”

• vault write -field=id -format=table identity/group name=“DEVS_P” type=“external” policies=“kv-dev”

• vault write identity/group-alias name=“DEVS_P” mount_accessor=“auth_oidc_558cd787” canonical_id=“9cba8776-0cca-8716-91f3-c8854e3c7837”

Now, I can login with each of the roles, and see what is allowed to see by its policy :

• vault login -method=oidc -path=oidc-aad role=dev
• vault login -method=oidc -path=oidc-aad role=infra

The problem is that, users part of different Azure AD Groups (INFRA_ADMINS & DEVS_P) can use either of those roles, and see what they are not supposed to see. They just need to know the name of the role.
I suppose this should be fixed by the external group mapping, but it looks like I am missing something here.

Any king of suggestion would be appreaciated.

Many thanks,
Erlis

I think you either need to use the external Identity Groups as you mentioned, or you may need to specify the bound_claims (basically what should Vault look for in the JWT to match it with this role). See this example:

Thank you.
We solved this by using bound_claims.
Closing this.