Fix OpenBao role payload handoff
This commit is contained in:
@@ -104,18 +104,31 @@ Role payload:
|
||||
}
|
||||
```
|
||||
|
||||
Equivalent CLI command from an approved OpenBao operator context:
|
||||
Equivalent CLI command from an approved OpenBao operator shell:
|
||||
|
||||
```bash
|
||||
bao write auth/netkingdom/role/whynot-design-workload-kv-read \
|
||||
'bound_claims={"groups":["whynot-design"]}' \
|
||||
groups_claim=groups \
|
||||
policies=workload-kv-read-whynot-design-npm-publish \
|
||||
role_type=oidc \
|
||||
ttl=15m \
|
||||
user_claim=sub
|
||||
role_payload_file="$(mktemp)"
|
||||
trap 'rm -f "$role_payload_file"' EXIT
|
||||
cat >"$role_payload_file" <<'JSON'
|
||||
{
|
||||
"bound_claims": {
|
||||
"groups": [
|
||||
"whynot-design"
|
||||
]
|
||||
},
|
||||
"groups_claim": "groups",
|
||||
"policies": "workload-kv-read-whynot-design-npm-publish",
|
||||
"role_type": "oidc",
|
||||
"ttl": "15m",
|
||||
"user_claim": "sub"
|
||||
}
|
||||
JSON
|
||||
bao write auth/netkingdom/role/whynot-design-workload-kv-read @"$role_payload_file"
|
||||
```
|
||||
|
||||
The OpenBao Web UI console may treat `bound_claims={...}` as a string. Use a
|
||||
raw JSON/API role editor when staying in the UI, or use the shell form above.
|
||||
|
||||
## Non-Secret Reads
|
||||
|
||||
These commands should succeed from an operator-capable identity and do not print
|
||||
|
||||
Reference in New Issue
Block a user