Vault - OIDC Azure AD Integration | Restrict secret access based on Azure AD Groups

Environment :

  • Version : 1.11.0
  • Type : OSS
  • Cluster : Openshift Container Platform

We are working on integrating our Vault Cluster with Azure AD using OIDC, for user authentication/authorization.

  1. An Azure App Registration is created/configured using the following documentation :
  1. Following API permissions are provided to the App Registration :
  • Group.Read.All
  • GroupMember.Read.All
  • User.Read
  • User.Read.All
  1. Two Azure AD groups of type Security are created and assigned to the App Registration :
  • INFRA_ADMINS
  • DEVS_P
  1. OIDC Auth method is configured as follows :

Additionally, two Vault external groups are created and mapped to the Azure AD groups :

  • vault write -field=id -format=table identity/group name=INFRA_ADMINS" type=“external” policies=“kv-infra”

  • vault write identity/group-alias name=“INFRA_ADMINS” mount_accessor=“auth_oidc_558cd787” canonical_id=“1f78aac7-0c59-105a-1d06-bba94a414a95”

  • vault write -field=id -format=table identity/group name=“DEVS_P” type=“external” policies=“kv-dev”

  • vault write identity/group-alias name=“DEVS_P” mount_accessor=“auth_oidc_558cd787” canonical_id=“9cba8776-0cca-8716-91f3-c8854e3c7837”

Now, I can login with each of the roles, and see what is allowed to see by its policy :

  • vault login -method=oidc -path=oidc-aad role=dev
  • vault login -method=oidc -path=oidc-aad role=infra

The problem is that, users part of different Azure AD Groups (INFRA_ADMINS & DEVS_P) can use either of those roles, and see what they are not supposed to see. They just need to know the name of the role.
I suppose this should be fixed by the external group mapping, but it looks like I am missing something here.

Any king of suggestion would be appreaciated.

Many thanks,
Erlis

I think you either need to use the external Identity Groups as you mentioned, or you may need to specify the bound_claims (basically what should Vault look for in the JWT to match it with this role). See this example:

Thank you.
We solved this by using bound_claims.
Closing this.