Vault + oidc = missing secrets


i have to duplicate a vault instance in to a new region and the person who previously set up the other instances is no longer with us

i have successfully set up the new instance and am able to login as my oidc user with the “default” policy

however, once logged in as the oidc user, i do not see the secrets (kv) mount. i do see it as the root user.

i have compared roles and policies between this fresh instance and the other previously setup instances and they are identical

the only difference i could find is the provider_config setting.
in the new instance it is provider_config map[] and the old instances it is provider_config <nil>.

a) not sure provider_config is the missing link. if so, how do i set it?
b) if provider_config is not the missing link. where do i configure the new vault instance to allow logged in users to see the kv/secrets mount?

thank you in advance

Is there a difference in what is being set for “identity_policies” between systems? You can see what is being set with:

vault token lookup <token>

# If you have the token set in the CLI:
#   vault token lookup $(vault print token)

as a normal user, on one of the old instances, it show identity_policies [vault-admin]
however, on the new instance, i get permission denied. this is interesting. where is this being set?

digging around, i see i set vault_admin policy as part of the group_name allocated to my user group.

the commands i ran to configure OIDC are:

vault auth enable oidc

vault write auth/oidc/config \
  oidc_discovery_url="${discovery_url}" \
  oidc_client_id="${oidc_client_id}" \
  oidc_client_secret="${oidc_client_secret}" \
  default_role="default" \

vault write auth/oidc/role/default \
  user_claim="preferred_username" \
  allowed_redirect_uris="https://vault.${cluster}/ui/vault/auth/oidc/oidc/callback","https://vault.${cluster}/oidc/callback","http://localhost:8250/oidc/callback" \
  groups_claim="test" \
  oidc_scopes="profile" \
  policies=default \
  bound_audiences="${oidc_client_id}" \
  token_ttl="1h" \

vault write identity/group name="sre" type="external" \ 
policies="vault_admin" | tee
GROUP_ID=$(awk '/id/ {print $2}'
vault auth list -format=json | jq -r '."oidc/".accessor' > accessor.txt
vault write identity/group-alias name="sre" mount_accessor=$(cat accessor.txt) canonical_id="$GROUP_ID"