In my setup, I am using Vault with OIDC method enabled against Azure AD, where I use groups to control which user is allowed to use which oidc role - I am using bound claims to check AD group. One user could be member of multiple groups, so he could use multiple OIDC roles.
I’m not using OIDC so this may be incorrect, but my guess is that you can’t request multiple roles. I believe you “can” setup a default_role when you setup the auth then add an the “other-rw” role when logging in. This is a guess though.
Hi! yes, I suspect this is the case, but I can see no reason why it shouldn’t work. Of course I can be wrong but the manual says [ K=V ] which seems to me that multiple key/value pairs can be passed over.
The thing with my setup is that I would like to control access to secrets via AD group membership.
one AD group represents a set of projects/databases
one user can be member of multiple groups - for example advanced developer who has access to multiple projects is member of multiple groups
I would like those people to get a single token from vault after login, where all their roles
(and therefore policies) are accumulated,
I guess other options are:
create AD groups for all necesary combinations of access permissions (for example if I have sets of projects A, B and C, I would need to create groups A (for users that access only A projects), AB (for users that access projects A and B), AC (for users that access projects A and C) and so on)
create helper script that would keep multiple login tokens for a user - one for each role and keep this structured for all users at all times.
Both of these solutions seems a bit overcomplicated compared to just get all roles in one login / token.
initialy (before I even started this thread) I tried the setup you mentioned - the azure ad with external groups example tutorial, but it was not working well for me. That’s why I ended up trying the role approach.
After some time spent with debug, I found out, that (after I followed the tutorial) AD was not sending group information that would contain group names (displayName in AD) but it was sending uuid (azure object ids) so I had to create Vault groups with names as AD groups ids.
After that, vault started to assign entities to correct groups.
I’m facing with the same question regarding , what if the same user are in multiple groups with multiple role assignments.
Could you explain in a bit more details how did you solved the question?
So if you log in now with the user who is a member of multiple groups, the group permissions are appended?
I believe you have been misled by the very generic English word “role” being used to mean differenent things in different areas of computer security.
A “role” in Vault means a “configuration profile”. It does NOT map onto groups, nor does it have anything to do with roles as in “Role Based Access Control”.
Almost all users of the Vault OIDC auth method should define exactly one role only.
I would suggest naming that role default, and setting it as the default role in the OIDC auth method config, so that users don’t even need to know the name of the role.
Should you have further questions, I would encourage you to start a new forum topic, rather than resurrecting one from over a year ago. This gives you a place to clearly present your own questions, and means that potential responders don’t need to read a lot of previous messages that may or may not be relevant.
Dear @maxb ,
Sorry, My interpretation was wrong.
My question is.
I have an user called “Foo”
He is member in 2 groups in AD. “Password_reader_A” and “Password_reader_B”.
Both AD Groups has a group alias and a role in the Vault. 1-1.
If I login with the user Foo. Which group will be used if I not choose a role in the login?