Hashicorp Vault 错误 "groups," 在令牌中找不到声明
Hashicorp Vault error "groups," claim not found in token
我正在尝试在 Hashicorp Vault 中使用 Azure AD 配置 OIDC 登录,但出现此错误:
"groups," claim not found in token
它发生在我尝试使用组应用一项策略时。使用默认组(reader 组)有效
这是我执行的所有步骤:
策略配置:
vault policy write manager manager.hcl
manager.hcl的内容:
path "/secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
vault policy write reader reader.hcl
reader.hcl的内容:
path "/secret/*" {
capabilities = ["read", "list"]
}
激活 OIDC:
vault auth enable oidc
vault write auth/oidc/config \
oidc_discovery_url="https://login.microsoftonline.com/{my-tenant-id}/v2.0" \
oidc_client_id="{my-client-id}" \
oidc_client_secret="{my-client-secret}" \
default_role="reader"
vault write auth/oidc/role/reader \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
policies="reader" \
verbose_oidc_logging="true"
然后登录vault login -method=oidc
通过上面的命令我可以登录。
当我更改角色以匹配 OIDC 组时出现问题(遵循此文档 https://learn.hashicorp.com/vault/identity-access-management/oidc-auth#cli-command-3):
vault write auth/oidc/role/manager \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
groups_claim="groups", \
policies="manager" \
verbose_oidc_logging="true" \
oidc_scopes="https://graph.microsoft.com/.default"
vault write identity/group name="manager" type="external" \
policies="manager" \
metadata=responsibility="Manager"
vault write identity/group-alias name="{my-group-hash-1}" \
mount_accessor={id-of-oidc-config} \
canonical_id="{group-id-from-above-command}"
然后当我尝试登录时出现错误 "groups," claim not found in token
当我将令牌放入 jwt.io 调试器时,有一个这样的组列表:
"groups": [
"my-group-hash-1",
"my-group-hash-2",
...
],
如何解决此问题以根据来自令牌的组定义策略?
Vault 版本为 1.4.2
在这个命令中:
vault write auth/oidc/role/manager \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
groups_claim="groups", \ # <----- You have a comma here
policies="manager" \
verbose_oidc_logging="true" \
oidc_scopes="https://graph.microsoft.com/.default"
您在 groups_claim 参数上有一个额外的逗号。删除逗号,它应该可以解决您的问题。
我正在尝试在 Hashicorp Vault 中使用 Azure AD 配置 OIDC 登录,但出现此错误:
"groups," claim not found in token
它发生在我尝试使用组应用一项策略时。使用默认组(reader 组)有效
这是我执行的所有步骤:
策略配置:
vault policy write manager manager.hcl
manager.hcl的内容:
path "/secret/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
vault policy write reader reader.hcl
reader.hcl的内容:
path "/secret/*" {
capabilities = ["read", "list"]
}
激活 OIDC:
vault auth enable oidc
vault write auth/oidc/config \
oidc_discovery_url="https://login.microsoftonline.com/{my-tenant-id}/v2.0" \
oidc_client_id="{my-client-id}" \
oidc_client_secret="{my-client-secret}" \
default_role="reader"
vault write auth/oidc/role/reader \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
policies="reader" \
verbose_oidc_logging="true"
然后登录vault login -method=oidc
通过上面的命令我可以登录。
当我更改角色以匹配 OIDC 组时出现问题(遵循此文档 https://learn.hashicorp.com/vault/identity-access-management/oidc-auth#cli-command-3):
vault write auth/oidc/role/manager \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
groups_claim="groups", \
policies="manager" \
verbose_oidc_logging="true" \
oidc_scopes="https://graph.microsoft.com/.default"
vault write identity/group name="manager" type="external" \
policies="manager" \
metadata=responsibility="Manager"
vault write identity/group-alias name="{my-group-hash-1}" \
mount_accessor={id-of-oidc-config} \
canonical_id="{group-id-from-above-command}"
然后当我尝试登录时出现错误 "groups," claim not found in token
当我将令牌放入 jwt.io 调试器时,有一个这样的组列表:
"groups": [
"my-group-hash-1",
"my-group-hash-2",
...
],
如何解决此问题以根据来自令牌的组定义策略? Vault 版本为 1.4.2
在这个命令中:
vault write auth/oidc/role/manager \
bound_audiences="{my-client-id}" \
allowed_redirect_uris="https://{my-site}/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="email" \
groups_claim="groups", \ # <----- You have a comma here
policies="manager" \
verbose_oidc_logging="true" \
oidc_scopes="https://graph.microsoft.com/.default"
您在 groups_claim 参数上有一个额外的逗号。删除逗号,它应该可以解决您的问题。