Introduction
When configuring the OIDC auth method in Vault, users can be restricted from accessing Vault based on bound_claims
set on the OIDC role. This parameter is a map of claims (keys) to match against permitted claim values (values) from the identity provider. This article will explain how to configure bound_claims
on the role when using Azure Active Directory as the identity provider. Possible restrictions when logging into Vault can be based on Azure AD groups, roles, emails, etc.
Procedure
- Enable and configure the OIDC auth method within Vault along with creating Vault role(s).
- (Optional) Create Vault external group(s) to associate with Azure AD.
- Gather the necessary claims from Azure AD to assign as a claim to the Vault role.
- Restrict access based on Azure AD Group.
- The claim key will be set to
groups
and claim value will be the group(s) in Azure AD.- In the below example, the
ObjectID
will be used from the Azure AD group.
- In the below example, the
- The claim key will be set to
- Set the map for the
bound_claims
parameter togroups
(key) andObjectID
(value).
- Restrict access based on Azure AD Group.
vault write auth/oidc/role/<VaultRole> -<<EOF
{
"bound_claims": {
"groups": ["<AADGroupObjectId>"]
}
}
EOF
- Restrict access based on Azure AD App Roles.
- In the below example, the key
role
will be used with the valueAppRoleID
from Azure.
- In the below example, the key
vault write auth/oidc/role/<VaultRole> -<<EOF
{
"bound_claims": {
"roles": ["<AADAppRoleValue>"]
}
}
EOF
- Restrict access based on specific Azure AD user emails
- In the below example, the key
email
will be used with a list user's email values.
- In the below example, the key
vault write auth/oidc/role/<VaultRole> -<<EOF
{
"bound_claims": {
"email": [ "<email1>". "<email2>" ]
}
}
EOF
Troubleshooting claims returned from the IdP
You can further test claims available when making the OIDC call from Vault into Azure. Note this is not recommended to be enabled within a production environment seeing sensitive information may be present in the OIDC responses.
- Enable verbose OIDC logging for individual Vault roles by running:
vault write auth/oidc/role/<VaultRole> verbose_oidc_logging="true"
- When attempting to log into Vault via the OIDC method, Vault will log additional information and show the OIDC provider responses. This logging will include all claims provided from Azure AD. These claims can be added to the Vault role with
bound_claims
to then restrict access to Vault.
Additional Information