Vault oidc login - multiple roles, one login, one token

Hello!

In my setup, I am using Vault with OIDC method enabled against Azure AD, where I use groups to control which user is allowed to use which oidc role - I am using bound claims to check AD group. One user could be member of multiple groups, so he could use multiple OIDC roles.

Generic vault auth help oidc command outputs:
Usage: vault login -method=oidc [CONFIG K=V…]

role=
Vault role of type “OIDC” to use for authentication.

I tried using

vault login -method=oidc role=other-rw role=core-rw

but I am getting following error:
Error parsing configuration: failed to convert values to strings: 1 error(s) decoding:

  • ‘[role]’ expected type ‘string’, got unconvertible type ‘interface {}’

I am using vault 1.9.3

I’m not using OIDC so this may be incorrect, but my guess is that you can’t request multiple roles. I believe you “can” setup a default_role when you setup the auth then add an the “other-rw” role when logging in. This is a guess though.

Hi! yes, I suspect this is the case, but I can see no reason why it shouldn’t work. Of course I can be wrong but the manual says [ K=V ] which seems to me that multiple key/value pairs can be passed over.

The thing with my setup is that I would like to control access to secrets via AD group membership.

  • one AD group represents a set of projects/databases
  • one user can be member of multiple groups - for example advanced developer who has access to multiple projects is member of multiple groups
  • I would like those people to get a single token from vault after login, where all their roles
    (and therefore policies) are accumulated,

I guess other options are:

  1. create AD groups for all necesary combinations of access permissions (for example if I have sets of projects A, B and C, I would need to create groups A (for users that access only A projects), AB (for users that access projects A and B), AC (for users that access projects A and C) and so on)
  2. create helper script that would keep multiple login tokens for a user - one for each role and keep this structured for all users at all times.

Both of these solutions seems a bit overcomplicated compared to just get all roles in one login / token.

Hi!

This is very much possible. However perhaps not in approach of “roles”. The setup that I am familiar with is using “external groups”.

  1. Setup OIDC auth method with a default role and connect it to your application. This role should only be used to perform login operations.
  2. You define external groups that have an alias linked to the AD group object ID
  3. When logging in with OIDC an entity is created over at Vault which then automatically also automatically recognises the external groups
  4. These external groups are then linked to an internal group which contain the policies

This approach doesn’t require your users to remember their roles, but are automatically managed by the administrator team and Azure AD.

An example tutorial that has this approach: Azure Active Directory with OIDC Auth Method and External Groups | Vault - HashiCorp Learn.

1 Like

Hello,

just to let everybody know:

initialy (before I even started this thread) I tried the setup you mentioned - the azure ad with external groups example tutorial, but it was not working well for me. That’s why I ended up trying the role approach.

After some time spent with debug, I found out, that (after I followed the tutorial) AD was not sending group information that would contain group names (displayName in AD) but it was sending uuid (azure object ids) so I had to create Vault groups with names as AD groups ids.

After that, vault started to assign entities to correct groups.

1 Like