Vault - transit per user - OIDC auth


I have a simple design question:
We want to use H. Vault transit engine for signing and encrypting/decrypting data.
We’re authenticating users using OIDC.

How can we limit that a given secret is available only to a specific user? (we can retrieve the user id from the authentication response)

Thank you!


You would set up the OIDC auth method to save the relevant information either as the username (user_claim) or metadata (claim_mappings)

Then you would refer to it in policy path templating: Policies | Vault by HashiCorp

Thank you very much!

We’ll try.