Roles

As policy have been defined we will create a role according to the previous one. This will be done through the terminal enabled in the Vault application.

For the common user you will create DEMO role with the following comand (Don’t forget to fill in the Client id):

vault write auth/oidc/role/demo \
        bound_audiences="CLIENT_ID" \
        allowed_redirect_uris="http://<your service host>:8200/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://<your service host>:8250/oidc/callback" \
        user_claim="sub" \
        policies="default" \
        verbose_oidc_logging="true"

For the administrator you will create ADMIN role with the following comand (Don’t forget to fill in the Client id):

vault write auth/oidc/role/admin \
        bound_audiences="CLIENT_ID" \
        allowed_redirect_uris="http://<your service host>:8200/ui/vault/auth/oidc/oidc/callback" \
        allowed_redirect_uris="http://<your service host>:8250/oidc/callback" \
        user_claim="sub" \
        policies="admin" \
        verbose_oidc_logging="true"

It is important to remember that the user set as default in the oidc configuration does not need to be entered in the log in, but in this case to log in as administrator it would be necessary to enter the role.

Updated: November 25, 2022