Hello!
We are testing oidc by linking vault and azure ad!
I created a group in the vault and mapped it with the azure group to give access to kv.
But when I login with oidc, I can’t see kv.
My config is like below.
What’s the problem?
#vault auth enable oidc
#vault write auth/oidc/config oidc_discovery_url=https://login.microsoftonline.com//v2.0 oidc_client_id="" oidc_client_secret="" default_role=“reader”
#vault write auth/oidc/role/reader allowed_redirect_uris=http://localhost:8250/oidc/callback,https://:8200/ui/vault/auth/oidc/oidc/callback user_claim=“sub” policies=“reader”
#vault secrets list
Path Type Accessor Description
cubbyhole/ cubbyhole cubbyhole_c1ba5a15 per-token private secret storage
identity/ identity identity_3df48d56 identity store
kv/ kv kv_5d93db2f n/a
sys/ system system_3db2e5ef system endpoints used for control, policy and debugging
#cat test-policy.hcl
Vault policy for the test
engine: kv-v2
create, read, update
path “secret/data/kv/*” {
capabilities = [“create”, “update”, “read”]
}
delete latest version of a key
path “secret/data/kv/*” {
capabilities = [“delete”]
}
delete any version of a key
path “secret/delete/kv/*” {
capabilities = [“update”]
}
destroy a version of a key
path “secret/destroy/kv/*” {
capabilities = [“update”]
}
read, list and delete metadata
path “secret/metadata/kv/*” {
capabilities = [“read”, “list”, “delete”]
}
#vault write identity/group name=“kb-test” type=“external” policies=“test-policy”
Key Value
id 61cfb556-37fb-a303-79e5-f7222e3c5fbf
name kb-test
#vault write identity/group-alias name=“141cd6e0-50a1-436e-9fed-d31d734b3087” mount_accessor=“auth_oidc_629435cf” canonical_id=“61cfb556-37fb-a303-79e5-f7222e3c5fbf”
Key Value
canonical_id 61cfb556-37fb-a303-79e5-f7222e3c5fbf
id a9bcad6d-9d83-355d-d76c-d3591013f5d4
