When I login with oidc, I can't see kv


We are testing oidc by linking vault and azure ad!
I created a group in the vault and mapped it with the azure group to give access to kv.
But when I login with oidc, I can’t see kv.

My config is like below.

What’s the problem?

#vault auth enable oidc
#vault write auth/oidc/config oidc_discovery_url=https://login.microsoftonline.com//v2.0 oidc_client_id="" oidc_client_secret="" default_role=“reader”
#vault write auth/oidc/role/reader allowed_redirect_uris=http://localhost:8250/oidc/callback,https://:8200/ui/vault/auth/oidc/oidc/callback user_claim=“sub” policies=“reader”
#vault secrets list
Path Type Accessor Description

cubbyhole/ cubbyhole cubbyhole_c1ba5a15 per-token private secret storage
identity/ identity identity_3df48d56 identity store
kv/ kv kv_5d93db2f n/a
sys/ system system_3db2e5ef system endpoints used for control, policy and debugging

#cat test-policy.hcl
Vault policy for the test
engine: kv-v2
create, read, update
path “secret/data/kv/*” {
capabilities = [“create”, “update”, “read”]

delete latest version of a key
path “secret/data/kv/*” {
capabilities = [“delete”]

delete any version of a key
path “secret/delete/kv/*” {
capabilities = [“update”]

destroy a version of a key
path “secret/destroy/kv/*” {
capabilities = [“update”]

read, list and delete metadata
path “secret/metadata/kv/*” {
capabilities = [“read”, “list”, “delete”]

#vault write identity/group name=“kb-test” type=“external” policies=“test-policy”
Key Value
id 61cfb556-37fb-a303-79e5-f7222e3c5fbf
name kb-test

#vault write identity/group-alias name=“141cd6e0-50a1-436e-9fed-d31d734b3087” mount_accessor=“auth_oidc_629435cf” canonical_id=“61cfb556-37fb-a303-79e5-f7222e3c5fbf”
Key Value
canonical_id 61cfb556-37fb-a303-79e5-f7222e3c5fbf
id a9bcad6d-9d83-355d-d76c-d3591013f5d4

Hi @s2lee,

I think this help center article helps with your role settings:

I added it, but it doesn’t work.

path “secret/*”
capabilities = [“create”, “read”, “update”, “delete”, “list”, “sudo”]

@s2lee remember that all settings are path-based. You must use the right path name in your policy. $ vault secrets list gives you the list of your enabled secret engines and its path.

From your screenshot, the path is not secret/* but rather kv6/*.

Oh, my God
Why didn’t my eyes see it!

thank you so much!