Vault - transit per user - OIDC auth

alenhorvat · June 26, 2022, 10:11pm

Hi.

I have a simple design question:
We want to use H. Vault transit engine for signing and encrypting/decrypting data.
We’re authenticating users using OIDC.

How can we limit that a given secret is available only to a specific user? (we can retrieve the user id from the authentication response)

Thank you!

Alen

maxb · June 27, 2022, 6:04am

You would set up the OIDC auth method to save the relevant information either as the username (user_claim) or metadata (claim_mappings)

Then you would refer to it in policy path templating: Policies | Vault by HashiCorp

alenhorvat · June 27, 2022, 6:56am

Thank you very much!

We’ll try.