Hello,
The documentation I used is that one: vault oidc provider
For the unclear part in the documentation what was the most unclear was where to put the gsuite_service_account, I had to try multiple things until I figured out in a cluster mode you need to have the file deployed on each instances. I think the description should be “Path on all vault instances…”.
Then the example configuration and role does not work… I tried really hard to give the conf in the command line after having issues with the UI… and it was impossible to give the provider_config as in the example… An UI example may be best for this part… Same on the role example, claims could not be declared that way, I had to declare a json file and then call it with “@filename” to be able to declare claims.
I tried to use bound_claims, but when I do that even if I’m part of the group I declare in the role, I can’t get to login, it just gives an error, I tried something like that:
{
“allowed_redirect_uris”: “https://URL/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback”,
“user_claim”: “sub”,
“policies”: “vault_admin”,
“ttl”: “24h”,
“groups_claim”: “devops”,
“oidc_scopes”: “profile”,
“bound_claims”: {
“group”: [“devops”]
}
}
So I tried that but then nobody is able to connect… We check in the Gsuite console and I’m in the group, if I remove the claim I can connect but anyone can connect using the role.
What is the right way to use the roles and Gsuite groups to limit the role?