Vault OIDC external groups user being assigned all policies

Vault
1

I have setup OIDC with Azure Active Directory and created two groups. An admin group and a Devops groups with limited permissions. If a user is assigned to both groups and logins with the Devops role the user is still assigned the admin policy.

So example bob is in both Azure AD group vault admin and Azure AD group vault Devops groups and logs into vault with the Devops role he still has admin access inside vault as his identity is getting admin policy assigned as seen below from a snippet from logging into vault via command line.
token_policies [“default” “devops”]
identity_policies [“admins” “default” “devops”]
policies [“default” “devops” “admins” “default” “devops”]

below is the terraform code that created everything for me

resource “vault_jwt_auth_backend” “admin_oidc” {
provider = vault.admin
description = “Azure SSO”
path = “oidc”
type = “oidc”
default_role = “devops”
oidc_discovery_url = “https://login.microsoftonline.com//v2.0”
oidc_client_id = var.sso_client_id
oidc_client_secret = var.sso_secret_id
bound_issuer = “https://login.microsoftonline.com//v2.0”
}
resource “vault_jwt_auth_backend_role” “devops_oidc” {
backend = vault_jwt_auth_backend.admin_oidc.path
role_name = “devops”
token_policies = [“default”]
user_claim = “email”
groups_claim = “groups”
bound_audiences =
role_type = “oidc”
provider = vault.admin
allowed_redirect_uris = [“http://localhost:8250/oidc/callback”, “https:///ui/vault/auth/oidc/oidc/callback”]
oidc_scopes = [“https://graph.microsoft.com/.default”]
}
resource “vault_identity_group” “vault-devops-group” {
provider = vault.admin
name = “devops”
type = “external”
policies = [“default”]

metadata = {
version = “1”
}
}
resource “vault_identity_group_alias” “devops-group-alias” {
provider = vault.admin
name = “”
mount_accessor = vault_jwt_auth_backend.admin_oidc.accessor
canonical_id = vault_identity_group.vault-devops-group.id
}

Admin Role below

resource “vault_jwt_auth_backend_role” “admin_oidc” {
backend = vault_jwt_auth_backend.admin_oidc.path
role_name = “vault-admins”
token_policies = [“default”, “admins”]
user_claim = “email”
groups_claim = “groups”
bound_audiences =
role_type = “oidc”
provider = vault.admin
allowed_redirect_uris = [“http://localhost:8250/oidc/callback”, “https:///ui/vault/auth/oidc/oidc/callback”]
oidc_scopes = [“https://graph.microsoft.com/.default”]
}
resource “vault_identity_group” “vault-admins-group” {
provider = vault.admin
name = “vault-admins”
type = “external”
policies = [“admins”, “default”]

metadata = {
version = “1”
}
}
resource “vault_identity_group_alias” “vault-admins-group-alias” {
provider = vault.admin
name = “”
mount_accessor = vault_jwt_auth_backend.admin_oidc.accessor
canonical_id = vault_identity_group.vault-admins-group.id
}

2

It’s quite awkward reading Terraform code that has been mangled by the forum system. Would you mind fixing your post? (Use ``` markers to define a code block.)

What is your aim in defining multiple roles in this way? It is not normal to define multiple roles for different subsets of humans. I suggest you just define one role for everyone logging in.