Configure groups and policies
After you've completed the steps in Integrate HashiCorp Cloud Platform Vault with Okta, you can create groups and policies.
Configure groups in Okta
Create a group for each type of user (admins and developers, for example) who requires access to HCP Vault.
- For each Okta-sourced group that you want to create, complete the steps in Create a group. Ensure that each group name uses the
okta-group-vaultprefix. For example,okta-group-vault-adminsfor admin users andokta-group-vault-developerfor developer users. - Manually assign people to a group (or Bulk assign people to a group) to grant granular access levels to users.
Configure policies in HCP Vault
Create a policy for each of the user groups that you created in the previous section. Policies ensure that different user personas and capabilities can access secrets that are stored in HCP Vault. See Introduction to policies for more information. There are two ways to configure policies: Use a CLI command or Use the API.
Use a CLI command
- Run this command to create a policy file named
vault-policy-developer-read.hcl:#!/bin/bash tee vault-policy-developer-read.hcl <<EOF # Read permission on the k/v secrets path "/secret/*" { capabilities = ["read", "list"] } EOF -
Run this command to create a policy named
vault-policy-developer-read. The policy uses the file that you created in the previous step:#!/bin/bash vault policy write vault-policy-developer-read vault-policy-developer-read.hcl - Run this command to create a policy file named
vault-policy-admin.hcl:#!/bin/bash tee vault-policy-admin.hcl <<EOF # Admin policy path "*" { capabilities = ["sudo","read","create","update","delete","list","patch"] } EOF -
Run this command to create a policy named
vault-policy-admin. The policy uses the file that you created in the previous step:#!/bin/bash vault policy write vault-policy-admin vault-policy-admin.hcl -
Run this command to view the policies you just created, as well as the default HCP Vault policies:
#!/bin/bash vault policy list
Use the API
Complete these steps in either HCP Vault Dedicated or HCP Vault.
HCP Vault Dedicated
- Send an API request that contains a JSON-formatted
vault-policy-developer-readpolicy:#!/bin/bash tee vault-policy-developer-read.json <<EOF { "policy": "path \"/secret/*\" {\n\tcapabilities = [\"read\", \"list\"]\n}\n" } EOF - Create a policy named
vault-policy-developer-readthat uses the policy that's defined invault-policy-developer-read.json:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request PUT \ --data @vault-policy-developer-read.json \ $VAULT_ADDR/v1/sys/policies/acl/vault-policy-developer-read - Create an API request that contains a JSON-formatted
vault-policy-adminpolicy:#!/bin/bash tee vault-policy-admin.json <<EOF { "policy": "path \"/secret/*\" {\n\tcapabilities = [\"read\", \"list\", \"sudo\", \"create\", \"update\", \"delete\", \"patch\"]\n}\n" } EOF - Create a policy named
vault-policy-adminthat uses the policy that's defined invault-policy-admin.json:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request PUT \ --data @vault-policy-admin.json \ $VAULT_ADDR/v1/sys/policies/acl/vault-policy-admin -
Run this command to view the policies you just created, as well as the default HCP Vault Dedicated policies:
curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ $VAULT_ADDR/v1/sys/policy | jq '.data | .policies'
HCP Vault
- Send an API request that contains a JSON-formatted
vault-policy-developer-readpolicy:#!/bin/bash tee vault-policy-developer-read.json <<EOF { "policy": "path \"/secret/*\" {\n\tcapabilities = [\"read\", \"list\"]\n}\n" } EOF - Create a policy named
vault-policy-developer-readthat uses the policy that's defined invault-policy-developer-read.json:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request PUT \ --data @vault-policy-developer-read.json \ $VAULT_ADDR/v1/sys/policies/acl/vault-policy-developer-read - Create an API request that contains a JSON-formatted
vault-policy-adminpolicy:#!/bin/bash tee vault-policy-admin.json <<EOF { "policy": "path \"/secret/*\" {\n\tcapabilities = [\"read\", \"list\", \"sudo\", \"create\", \"update\", \"delete\", \"patch\"]\n}\n" } EOF - Create a policy named
vault-policy-adminthat uses the policy that's defined invault-policy-admin.json:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request PUT \ --data @vault-policy-admin.json \ $VAULT_ADDR/v1/sys/policies/acl/vault-policy-admin - Run this command to view the policies you just created, as well as the default HCP Vault policies:
curl --header "X-Vault-Token: $VAULT_TOKEN" \ $VAULT_ADDR/v1/sys/policy | jq '.data | .policies'
Configure groups in HCP Vault
Create groups in HCP Vault that match the groups that you've created in Okta. There are two ways to configure policies: Use a CLI command or Use the API.
Use a CLI command
- Run this command to create a role called
vault-role-okta-group-vault-developer. This action assigns the default policy to the role:#!/bin/bash vault write auth/oidc/role/vault-role-okta-group-vault-developer \ bound_audiences="$OKTA_CLIENT_ID" \ allowed_redirect_uris="$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="http://localhost:8250/oidc/callback" \ user_claim="sub" \ token_policies="default" \ oidc_scopes="groups" \ groups_claim="groups" - Run this command to create a group called
okta-group-vault-developerand assign it thevault-policy-developer-read policy:#!/bin/bash vault write identity/group name="okta-group-vault-developer" type="external" \ policies="vault-policy-developer-read" \ metadata=responsibility="okta-group-vault-developer" - Run this command to create a variable called
GROUP_ID. The variable contains the ID for the group that you created earlier.#!/bin/bash GROUP_ID=$(vault read -field=id identity/group/name/okta-group-vault-developer) - Run this command to create an
OIDC_AUTH_ACCESSORvariable for the OIDC authentication method:#!/bin/bash OIDC_AUTH_ACCESSOR=$(vault auth list -format=json | jq -r '."oidc/".accessor') - Run this command to create a group alias called
okta-group-vault-developer. The alias connects the OIDC authentication method and the group that you created earlier to thevault-policy-developer-readpolicy.#!/bin/bash vault write identity/group-alias name="okta-group-vault-developer" \ mount_accessor="$OIDC_AUTH_ACCESSOR" \ canonical_id="$GROUP_ID" - Run this command, and then sign in as a developer with the
okta-group-vault-developerrole:#!/bin/bash vault login -method=oidc role="vault-role-okta-group-vault-developer"A success message and a list of key-value pairs appear. The token that's returned uses
vault-policy-developer-readbecauseokta-group-vault-developermatches the assigned Okta group. - Sign out of Okta.
- Run this command to create a role called
vault-role-okta-group-vault-admins:#!/bin/bash vault write auth/oidc/role/vault-role-okta-group-vault-admins \ bound_audiences="$OKTA_CLIENT_ID" \ allowed_redirect_uris="$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="http://localhost:8250/oidc/callback" \ user_claim="sub" \ token_policies="default" \ oidc_scopes="groups" \ groups_claim="groups" - Run this command to create a
okta-group-vault-adminsgroup that uses thevault-policy-adminpolicy:#!/bin/bash vault write identity/group name="okta-group-vault-admins" type="external" \ policies="vault-policy-admin" \ metadata=responsibility="okta-group-vault-admins" - Run this command to create a
GROUP_IDvariable that stores theokta-group-vault-adminsgroup ID:#!/bin/bash GROUP_ID=$(vault read -field=id identity/group/name/okta-group-vault-admins) - Run this command to create an
OIDC_AUTH_ACCESSORvariable for the OIDC authentication method:#!/bin/bash OIDC_AUTH_ACCESSOR=$(vault auth list -format=json | jq -r '."oidc/".accessor') - Run this command to create a group alias called
okta-group-vault-admins. The alias connects the OIDC authentication method and the group that you created earlier to thevault-policy-adminpolicy.#!/bin/bash vault write identity/group-alias name="okta-group-vault-admins" \ mount_accessor="$OIDC_AUTH_ACCESSOR" \ canonical_id="$GROUP_ID" - Run this command, and then sign in with the
okta-group-vault-adminsrole:#!/bin/bash vault login -method=oidc role="vault-role-okta-group-vault-admins"A success message and a list of key-value pairs appear. The token that's returned uses
vault-policy-adminbecauseokta-group-vault-adminsmatches the assigned Okta group.
Use the API
Complete these steps in either HCP Vault Dedicated or HCP Vault.
HCP Vault Dedicated
- Send a request for the
okta-group-vault-developerrole:#!/bin/bash tee vault-role-okta-group-vault-developer.json <<EOF { "bound_audiences": "$OKTA_CLIENT_ID", "allowed_redirect_uris": [ "$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback" ], "user_claim": "sub", "token_policies": ["default"], "oidc_scopes": "groups", "groups_claim": "groups" } EOF - Send a request to create a role called
vault-role-okta-group-vault-developer:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST \ --data @vault-role-okta-group-vault-developer.json \ $VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-group-vault-developer - Send a request that assigns the
vault-policy-developer-readpolicy to theokta-group-vault-developergroup:#!/bin/bash tee okta-group-vault-developer.json <<EOF { "name": "okta-group-vault-developer", "policies": ["vault-policy-developer-read"], "type": "external", "metadata": { "responsibility": "okta-group-vault-developer" } } EOF - Send a request to create a group that contains the
okta-group-vault-developer.jsongroup definition:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST --data @okta-group-vault-developer.json \ $VAULT_ADDR/v1/identity/group | jq - Send a request to create a
GROUP_IDvariable for theokta-group-vault-developergroup:#!/bin/bash GROUP_ID=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request GET \ $VAULT_ADDR/v1/identity/group/name/okta-group-vault-developer | jq '.data | .id' -r) - Send a request to create an
OIDC_AUTH_ACCESSORvariable for the OIDC authentication method:#!/bin/bash OIDC_AUTH_ACCESSOR=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ $VAULT_ADDR/v1/sys/auth | jq '.data | ."oidc/".accessor' -r) - Use this command to create a group alias called
okta-group-vault-developer:#!/bin/bash tee alias-okta-group-vault-developer.json <<EOF { "canonical_id": "$GROUP_ID", "mount_accessor": "$OIDC_AUTH_ACCESSOR", "name": "okta-group-vault-developer" } EOF - Send a request that shares the
okta-group-vault-developeralias with HCP Vault:#!/bin/bash curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST -s \ --data @alias-okta-group-vault-developer.json \ $VAULT_ADDR/v1/identity/group-alias | jq - Send this request, and then sign in as a developer with the
okta-group-vault-developerrole:#!/bin/bash vault login -method=oidc role="vault-role-okta-group-vault-developer"A success message and a list of key-value pairs appear. The token that's returned uses
vault-policy-developer-readbecauseokta-group-vault-developermatches the assigned Okta group. - Sign out of Okta.
- Send a request for the
okta-group-vault-adminsrole:#!/bin/bash tee vault-role-okta-group-vault-admins.json << EOF { "bound_audiences": "$OKTA_CLIENT_ID", "allowed_redirect_uris": [ "$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback" ], "user_claim": "sub", "token_policies": ["default"], "oidc_scopes": "groups", "groups_claim": "groups" } EOF - Send a request to create a role called
vault-role-okta-group-vault-admins:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST \ --data @vault-role-okta-group-vault-admins.json \ $VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-group-vault-admins - Send a request that defines the
okta-group-vault-adminsgroup that's assigned to thevault-policy-adminpolicy:#!/bin/bash tee okta-group-vault-admins.json <<EOF { "name": "okta-group-vault-admins", "policies": ["vault-policy-admin"], "type": "external", "metadata": { "responsibility": "okta-group-vault-admins" } } EOF - Send a request that creates a group with the group definition in
okta-group-vault-admins.json:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST \ --data @okta-group-vault-admins.json $VAULT_ADDR/v1/identity/group | jq - Send a request to create a
GROUP_IDvariable that contains theokta-group-vault-adminsgroup ID:#!/bin/bash GROUP_ID=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request GET \ $VAULT_ADDR/v1/identity/group/name/okta-group-vault-admins | jq '.data | .id' -r) - Send a request to create
OIDC_AUTH_ACCESSORvariable for the OIDC authentication method:#!/bin/bash OIDC_AUTH_ACCESSOR=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ $VAULT_ADDR/v1/sys/auth | jq '.data | ."oidc/".accessor' -r) - Send a request to create an
okta-group-vault-adminsalias:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --header "X-Vault-Namespace: $VAULT_NAMESPACE" \ --request POST -s \ --data @alias-okta-group-vault-admins.json \ $VAULT_ADDR/v1/identity/group-alias | jq - Send this request, and then sign in with the
vault-role-okta-group-vault-adminrole:#!/bin/bash vault login -method=oidc role="vault-role-okta-group-vault-admins"A success message and a list of key-value pairs appear. The token that's returned uses
vault-policy-adminbecauseokta-group-vault-adminsmatches the assigned Okta group.
HCP Vault
- Send an API request for the
okta-group-vault-developerrole:#!/bin/bash tee vault-role-okta-group-vault-developer.json << EOF { "bound_audiences": "$OKTA_CLIENT_ID", "allowed_redirect_uris": [ "$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback" ], "user_claim": "sub", "token_policies": ["default"], "oidc_scopes": "groups", "groups_claim": "groups" } EOF - Send a request to create a role called
vault-role-okta-group-vault-developer:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @vault-role-okta-group-vault-developer.json \ $VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-group-vault-developer - Send a request to create a group that contains the
okta-group-vault-developer.jsongroup definition:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @okta-group-vault-developer.json \ $VAULT_ADDR/v1/identity/group | jq - Send a request to create a
GROUP_IDvariable that contains theokta-group-vault-developerID:#!/bin/bash GROUP_ID=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET \ $VAULT_ADDR/v1/identity/group/name/okta-group-vault-developer | jq '.data | .id' -r) - Send a request that creates an
OIDC_AUTH_ACCESSORvariable for the OIDC authentication method:#!/bin/bash OIDC_AUTH_ACCESSOR=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ $VAULT_ADDR/v1/sys/auth | jq '.data | ."oidc/".accessor' -r) - Use this command to create an alias for
okta-group-vault-developer:#!/bin/bash tee alias-okta-group-vault-developer.json <<EOF { "canonical_id": "$GROUP_ID", "mount_accessor": "$OIDC_AUTH_ACCESSOR", "name": "okta-group-vault-developer" } EOF - Send a request to share the
okta-group-vault-developeralias with HCP Vault:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST -s \ --data @alias-okta-group-vault-developer.json \ $VAULT_ADDR/v1/identity/group-alias | jq - Send this request, and then sign in with the
vault-role-okta-group-vault-developerrole:#!/bin/bash vault login -method=oidc role="vault-role-okta-group-vault-developer"A success message and a list of key-value pairs appear. The token that's returned uses
vault-policy-developer-readbecauseokta-group-vault-developermatches the assigned Okta group. - Sign out of Okta.
- Send a request for the
okta-group-vault-adminsrole:#!/bin/bash tee vault-role-okta-group-vault-admins.json << EOF { "bound_audiences": "$OKTA_CLIENT_ID", "allowed_redirect_uris": [ "$VAULT_ADDR/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback" ], "user_claim": "sub", "token_policies": ["default"], "oidc_scopes": "groups", "groups_claim": "groups" } EOF - Send a request to create a role called
vault-role-okta-group-vault-admins:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @vault-role-okta-group-vault-admins.json \ $VAULT_ADDR/v1/auth/oidc/role/vault-role-okta-group-vault-admins - Send a request that assigns the
vault-policy-adminpolicy to theokta-group-vault-adminsgroup:#!/bin/bash tee okta-group-vault-admins.json <<EOF { "name": "okta-group-vault-admins", "policies": ["vault-policy-admin"], "type": "external", "metadata": { "responsibility": "okta-group-vault-admins" } } EOF - Send a request to create a group that contains the
okta-group-vault-admins.jsongroup definition:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data @okta-group-vault-admins.json \ $VAULT_ADDR/v1/identity/group | jq - Send a request to create a
GROUP_IDvariable that contains theokta-group-vault-adminsgroup:#!/bin/bash GROUP_ID=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET \ $VAULT_ADDR/v1/identity/group/name/okta-group-vault-admins | jq '.data | .id' -r) - Send a request to create an
OIDC_AUTH_ACCESSORvariable for the OIDC authentication method:#!/bin/bash OIDC_AUTH_ACCESSOR=$(curl --header "X-Vault-Token: $VAULT_TOKEN" \ $VAULT_ADDR/v1/sys/auth | jq '.data | ."oidc/".accessor' -r) - Use this command to create an
okta-group-vault-adminsalias:#!/bin/bash tee alias-okta-group-vault-admins.json <<EOF { "canonical_id": "$GROUP_ID", "mount_accessor": "$OIDC_AUTH_ACCESSOR", "name": "okta-group-vault-admins" } EOF - Send a request to share the
okta-group-vault-adminsalias with HCP Vault:curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST -s \ --data @alias-okta-group-vault-admins.json \ $VAULT_ADDR/v1/identity/group-alias | jq - Send this request, and then sign in with the
vault-role-okta-group-vault-adminsrole:#!/bin/bash vault login -method=oidc role="vault-role-okta-group-vault-admins"A success message and a list of key-value pairs appears. The token that's returned uses
vault-policy-adminbecauseokta-group-vault-adminsmatches the assigned Okta group.
Next step