diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-17 21:09:01 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-17 21:09:01 +0300 |
commit | e388691e4a5b5b69be903c7eceb606b853719cd5 (patch) | |
tree | 97875b98a9a9c7b0dfe9245ce70d5e38ac3a3549 /doc/integration/vault.md | |
parent | cb840235d7fb4001dab266c614bd2cf59036fe18 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/integration/vault.md')
-rw-r--r-- | doc/integration/vault.md | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/doc/integration/vault.md b/doc/integration/vault.md index 362ae36389b..06f8a452427 100644 --- a/doc/integration/vault.md +++ b/doc/integration/vault.md @@ -76,15 +76,25 @@ The following assumes you already have Vault installed and running. This configuration is saved under the name of the role you are creating. In this case, we are creating a `demo` role. Later, we show how you can access this role through the Vault CLI. + WARNING: + If you're using a public GitLab instance (GitLab.com or any other instance publicly + accessible), it's paramount to specify the `bound_claims` to allow access only to + members of your group/project. Otherwise, anyone with a public account can access + your Vault instance. + ```shell - vault write auth/oidc/role/demo \ - user_claim="sub" \ - allowed_redirect_uris="http://localhost:8250/oidc/callback,http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \ - bound_audiences="your_application_id" \ - role_type="oidc" \ - oidc_scopes="openid" \ - policies=demo \ - ttl=1h + vault write auth/oidc/role/demo -<<EOF + { + "user_claim": "sub", + "allowed_redirect_uris": "your_vault_instance_redirect_uris", + "bound_audiences": "your_application_id", + "oidc_scopes": "openid", + "role_type": "oidc", + "policies": "demo", + "ttl": "1h", + "bound_claims": { "groups": ["yourGroup/yourSubgrup"] } + } + EOF ``` 1. **Sign in to Vault:** |