summaryrefslogtreecommitdiff
path: root/doc/integration/vault.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/integration/vault.md')
-rw-r--r--doc/integration/vault.md26
1 files changed, 18 insertions, 8 deletions
diff --git a/doc/integration/vault.md b/doc/integration/vault.md
index 362ae36389b..c98990bcb0e 100644
--- a/doc/integration/vault.md
+++ b/doc/integration/vault.md
@@ -76,15 +76,25 @@ The following assumes you already have Vault installed and running.
This configuration is saved under the name of the role you are creating. In this case, we are creating a `demo` role. Later, we show how you can access this role through the Vault CLI.
+ WARNING:
+ If you're using a public GitLab instance (GitLab.com or any other instance publicly
+ accessible), it's paramount to specify the `bound_claims` to allow access only to
+ members of your group/project. Otherwise, anyone with a public account can access
+ your Vault instance.
+
```shell
- vault write auth/oidc/role/demo \
- user_claim="sub" \
- allowed_redirect_uris="http://localhost:8250/oidc/callback,http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \
- bound_audiences="your_application_id" \
- role_type="oidc" \
- oidc_scopes="openid" \
- policies=demo \
- ttl=1h
+ vault write auth/oidc/role/demo -<<EOF
+ {
+ "user_claim": "sub",
+ "allowed_redirect_uris": "your_vault_instance_redirect_uris",
+ "bound_audiences": "your_application_id",
+ "oidc_scopes": "openid",
+ "role_type": "oidc",
+ "policies": "demo",
+ "ttl": "1h",
+ "bound_claims": { "groups": ["yourGroup/yourSubgrup"] }
+ }
+ EOF
```
1. **Sign in to Vault:**