Tokens generated via vault_jwt_auth_backend_role won't retain token_policies

[nszilard]

Terraform Version

Terraform v0.12.2
+ provider.aws v2.32.0
+ provider.local v1.4.0
+ provider.null v2.1.2
+ provider.template v2.1.2
+ provider.vault v2.4.0

Vault Version

$ vault --version
Vault v1.2.0

$ curl --silent https://**REDACTED**/v1/sys/health | jq  .version
"1.2.0"

Affected Resource(s)

• vault_jwt_auth_backend_role

Terraform Configuration Files

resource "vault_jwt_auth_backend_role" "oidc_role" {
  count = var.google_oidc_auth_backend == null ? 0 : 1

  role_name  = vault_identity_entity.user.name
  backend    = var.google_oidc_auth_backend.path
  role_type  = var.google_oidc_auth_backend.type
  user_claim = "email"

  token_policies = var.policies.*.name

  oidc_scopes = [
    "openid",
    "email"
  ]
  bound_audiences = [
    var.google_oidc_auth_backend.oidc_client_id
  ]
  allowed_redirect_uris = [
    "http://localhost:8250/oidc/callback",
    "https://**REDACTED**/ui/vault/auth/oidc/oidc/callback",
  ]
}

Expected Behavior

Terraform applies successfully.
After a successful attempt to authenticate via the OIDC role, the generated token should inherit all the token_policies set in the role.

Actual Behavior

Terraform applies successfully.
However, tokens generated via the role only has the default policy.

Steps to Reproduce

Using Terraform

1. terraform apply
2. vault read auth/oidc/role/testRole

Key                        Value
---                        -----
allowed_redirect_uris      [https://**REDACTED**/ui/vault/auth/oidc/oidc/callback http://localhost:8250/oidc/callback]
bound_audiences            [**REDACTED**]
bound_claims               <nil>
bound_subject              n/a
claim_mappings             <nil>
clock_skew_leeway          0
expiration_leeway          0
groups_claim               n/a
not_before_leeway          0
oidc_scopes                [openid email]
role_type                  oidc
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [testPolicy]
token_ttl                  0s
token_type                 default
user_claim                 email
verbose_oidc_logging       false

3. vault login -method=oidc role=testRole
4. Read token attributes:

Key                  Value
---                  -----
token                s.66vdoZMKPaF17lTGaYYy49M0
token_accessor       rDx7pyv6ow94YPG1F3dws9bC
token_duration       12h
token_renewable      true
token_policies       ["default"]
identity_policies    []
policies             ["default"]
token_meta_role      testRole

Compared to using Vault API

1. vault auth enable oidc

vault write auth/oidc/config \
  oidc_discovery_url="https://accounts.google.com" \
  oidc_client_id="**REDACTED**" \
  oidc_client_secret="**REDACTED**"

vault write auth/oidc/role/testRole \
  ttl=12h \
  user_claim="email" \
  oidc_scopes="openid,email" \
  bound_audiences="**REDACTED**" \
  allowed_redirect_uris="http://localhost:8250/oidc/callback,https://**REDACTED**/ui/vault/auth/oidc/oidc/callback" \
  policies=testPolicy

4. vault login -method=oidc role=testRole
5. Read token attributes:

Key                  Value
---                  -----
token                s.4grSMTZIwuGgCp1hNWeKjzNp
token_accessor       zfC3aWj7j7k9NlcUOtmykOth
token_duration       12h
token_renewable      true
token_policies       ["testPolicy" default"]
identity_policies    []
policies             ["testPolicy" "default"]
token_meta_role      testRole

[lawliet89]

Can you try upgrading to Vault 1.2.3?

Seems to be fixed by hashicorp/vault-plugin-auth-jwt#67 that was released with 1.2.3.

[nszilard]

Thank you @lawliet89! I did upgrade to the latest version and it did fix the issue.

However, my question could still be of interest, as the server's version remained the same in the scenario described above yet the different methods of creating and OIDC role resulted in a different outcome.

Happy to close the ticket though if you don't think any further investigation is necessary.