after installing vault run the following command to login:
the root token is printed to stdout on the first run.
$ vault login -method=token [your root token]write down your oidc configs, such as client_id and client_secret ...
enable oidc method in vault:
$ vault auth enable oidcset oidc config in vault:
$ vault write auth/oidc/config \
oidc_discovery_url="[provider url]" \
oidc_client_id="[client_id]" \
oidc_client_secret="[client_secret]" \
default_role="reader" \
oidc_scopes="openid profile email phone address groups" \
bound_issuer="localhost"create a reader policy in vault, we are going to assign this policy to our role:
path "secret/*" {
capabilities = ["read", "list"]
}create a role for our oidc, here we create a reader role
$ vault write auth/oidc/role/reader \
bound_audiences="[client_id]" \
allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
groups_claim="groups" \
user_claim="sub" \
policies=readerlogin to vault using oidc method. this command opens your browser to log you in.
$ vault login -method=oidc role=readerNOTE
after a successful login in any of above methods, if you want to change something in vault that requires root permissions, you need to login again with token method with the following command:
$ vault login -method=token [token]
Worth to mention articles:
hashicorp-vault-groups-integration-with-google-g-suite