Reputation: 50
Hashicorp Vault error "groups," claim not found in token
I am trying to configure OIDC login with Azure AD in Hashicorp Vault, but I get this error:
"groups," claim not found in token
Its happen just when I try to apply one policy using groups. Using default group (reader group) it works
This is all steps that I did:
Policy configuration:
vault policy write manager manager.hcl
Content of manager.hcl:
path "/secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
vault policy write reader reader.hcl
Content of reader.hcl:
path "/secret/*" {
capabilities = ["read", "list"]
}
Activate OIDC:
vault auth enable oidc
vault write auth/oidc/config \
oidc_discovery_url="https://login.microsoftonline.com/{my-tenant-id}/v2.0" \
oidc_client_id="{my-client-id}" \
oidc_client_secret="{my-client-secret}" \
default_role="reader"
vault write auth/oidc/role/reader \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
policies="reader" \
verbose_oidc_logging="true"
And then to login vault login -method=oidc
With above commands I can login.
The problem comes when I change roles to match OIDC groups (following this doc https://learn.hashicorp.com/vault/identity-access-management/oidc-auth#cli-command-3):
vault write auth/oidc/role/manager \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
groups_claim="groups", \
policies="manager" \
verbose_oidc_logging="true" \
oidc_scopes="https://graph.microsoft.com/.default"
vault write identity/group name="manager" type="external" \
policies="manager" \
metadata=responsibility="Manager"
vault write identity/group-alias name="{my-group-hash-1}" \
mount_accessor={id-of-oidc-config} \
canonical_id="{group-id-from-above-command}"
And then when I try to login got the error "groups," claim not found in token
When I put the token in jwt.io debugger, there is a list of groups like this:
"groups": [
"my-group-hash-1",
"my-group-hash-2",
...
],
How can I fix this to define polices based on groups from token? Vault version is 1.4.2
Upvotes: 1
Views: 4963
Answers (1)
Reputation: 8615
In this command:
vault write auth/oidc/role/manager \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
groups_claim="groups", \ # <----- You have a comma here
policies="manager" \
verbose_oidc_logging="true" \
oidc_scopes="https://graph.microsoft.com/.default"
you have a bonus comma on the groups_claim argument. Remove the comma and it should sort out your problem.
Upvotes: 3
Related Questions
- Vault secrets list permission denied
- Permission denied on Vault Terraform provider token creation
- HashiCorp Vault Error 403 Permission denied
- "Missing client token" when authenticating with login/pass on Hashicorp Vault
- Unable to list the LDAP groups in Hashicorp vault, along with the policy attached to it
- Caused by: java.lang.IllegalArgumentException: Token (spring.cloud.vault.token) must not be empty - Hashicorp Vault
- Hashicorp Vault: "Code: 400. Errors" Error Message
- How to add vault (Hashicorp) entity to an existing group via CLI
- getting error when trying to enable approle
- Why does creating token result in "parent token lookup failed"