我正在构建一个启用了 oidc 的金库。我已经创建了 oidc 配置和角色,包括组和组别名。但事实证明我面临着与
相关的问题无法获取组:获取“https://admin.googleapis.com/admin/directory/v1/groups?alt=json&fields=nextPageToken%2Cgroups%28email%29&prettyPrint=false&userKey=xxxxxxxxxxxx”:oauth2:无法获取令牌:401未经授权的响应:{“error”:“unauthorized_client”,“error_description”:“客户端未经授权使用此方法检索访问令牌,或者客户端未获得任何请求范围的授权。” }
我已授予以下角色的访问权限:
1.https://www.googleapis.com/auth/admin.directory.group.readonly
2.https://www.googleapis.com/auth/admin.directory.user.readonly
这是我使用的命令:
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "xxxxxxxxxxxx.apps.googleusercontent.com",
"oidc_client_secret": "xxxxxx-xxxxxxxxx-xxxxxxxxx",
"default_role": "noaccess",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/var/vault/sa.json",
"gsuite_admin_impersonate": "[email protected]",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5
}
}
EOF
vault write auth/oidc/role/noaccess \
allowed_redirect_uris="https://xxxxx.xxxx.xxxxxx.com/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
user_claim="sub" \
policies= "" \
ttl=1h \
groups_claim="groups"
vault write identity/group name="[email protected]" type="external" \
policies="reader" \
metadata=responsibility="reader"
export GROUP_ID="xxxx-xxxx-xxxx-xxxx-xxxxxxxx"
vault auth list -format=json | jq -r '."oidc/".accessor' > accessor.txt
vault write identity/group-alias name="[email protected]" \
mount_accessor=$(cat accessor.txt) \
canonical_id="$GROUP_ID"
如果我删除
groups_claim="groups"这个问题你解决了吗?谢谢!