Vault + oidc = missing secrets

marafa-sugarcrm · December 28, 2021, 4:10pm

hello

i have to duplicate a vault instance in to a new region and the person who previously set up the other instances is no longer with us

i have successfully set up the new instance and am able to login as my oidc user with the “default” policy

however, once logged in as the oidc user, i do not see the secrets (kv) mount. i do see it as the root user.

i have compared roles and policies between this fresh instance and the other previously setup instances and they are identical

the only difference i could find is the provider_config setting.
in the new instance it is provider_config map[] and the old instances it is provider_config <nil>.

a) not sure provider_config is the missing link. if so, how do i set it?
b) if provider_config is not the missing link. where do i configure the new vault instance to allow logged in users to see the kv/secrets mount?

thank you in advance

dwanek · December 28, 2021, 5:33pm

Is there a difference in what is being set for “identity_policies” between systems? You can see what is being set with:

vault token lookup <token>

# If you have the token set in the CLI:
#   vault token lookup $(vault print token)

marafa-sugarcrm · December 28, 2021, 7:47pm

as a normal user, on one of the old instances, it show identity_policies [vault-admin]
however, on the new instance, i get permission denied. this is interesting. where is this being set?

marafa-sugarcrm · December 28, 2021, 7:49pm

digging around, i see i set vault_admin policy as part of the group_name allocated to my user group.

marafa-sugarcrm · December 28, 2021, 8:12pm

the commands i ran to configure OIDC are:

vault auth enable oidc

vault write auth/oidc/config \
  oidc_discovery_url="${discovery_url}" \
  oidc_client_id="${oidc_client_id}" \
  oidc_client_secret="${oidc_client_secret}" \
  default_role="default" \
  namespace_in_state="false"

vault write auth/oidc/role/default \
  user_claim="preferred_username" \
  allowed_redirect_uris="https://vault.${cluster}/ui/vault/auth/oidc/oidc/callback","https://vault.${cluster}/oidc/callback","http://localhost:8250/oidc/callback" \
  groups_claim="test" \
  oidc_scopes="profile" \
  policies=default \
  bound_audiences="${oidc_client_id}" \
  token_ttl="1h" \
  ttl="1h"

vault write identity/group name="sre" type="external" \ 
policies="vault_admin" | tee sre.group
GROUP_ID=$(awk '/id/ {print $2}' sre.group)
vault auth list -format=json | jq -r '."oidc/".accessor' > accessor.txt
vault write identity/group-alias name="sre" mount_accessor=$(cat accessor.txt) canonical_id="$GROUP_ID"

Topic		Replies	Views
When I login with oidc, I can't see kv Vault	4	724	March 21, 2022
OIDC user not getting policy from group Vault	5	640	May 25, 2022
Unable to delete certain secrets (kv2) Vault	0	127	January 22, 2024
Policies not working on more levels. OICD Auth Vault	1	397	June 20, 2023
Vault as OIDC Provider Access Token Issue Vault vault	5	582	October 12, 2023

Vault + oidc = missing secrets

Related topics