bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: write bound_claims as file

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 02:56:29 -03:00
parent fd2ae6bdd5
commit 4111fb079f
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
services/vault/scripts/vault_oidc_configure.sh
View File

@ -84,8 +84,10 @@ configure_role() {
return return
fi fi
claims="$(build_bound_claims "${groups_claim}" "${role_groups}")" claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
claims_file="$(mktemp)"
printf '%s' "${claims}" > "${claims_file}"
scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')" scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')"
role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=${claims} bound_claims_type=${bound_claims_type}" role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=@${claims_file} bound_claims_type=${bound_claims_type}"
if [ -n "${groups_claim}" ]; then if [ -n "${groups_claim}" ]; then
role_args="${role_args} groups_claim=${groups_claim}" role_args="${role_args} groups_claim=${groups_claim}"
fi fi
@ -100,6 +102,7 @@ configure_role() {
IFS=$old_ifs IFS=$old_ifs
log "configuring oidc role ${role_name}" log "configuring oidc role ${role_name}"
vault write "auth/oidc/role/${role_name}" ${role_args} vault write "auth/oidc/role/${role_name}" ${role_args}
rm -f "${claims_file}"
} }
configure_role "admin" "${admin_group}" "${admin_policies}" configure_role "admin" "${admin_group}" "${admin_policies}"