Fix OpenBao role payload handoff

This commit is contained in:
2026-06-28 02:33:42 +02:00
parent e3147b7fd5
commit f630d5135e
3 changed files with 31 additions and 26 deletions

View File

@@ -104,18 +104,31 @@ Role payload:
}
```
Equivalent CLI command from an approved OpenBao operator context:
Equivalent CLI command from an approved OpenBao operator shell:
```bash
bao write auth/netkingdom/role/whynot-design-workload-kv-read \
'bound_claims={"groups":["whynot-design"]}' \
groups_claim=groups \
policies=workload-kv-read-whynot-design-npm-publish \
role_type=oidc \
ttl=15m \
user_claim=sub
role_payload_file="$(mktemp)"
trap 'rm -f "$role_payload_file"' EXIT
cat >"$role_payload_file" <<'JSON'
{
"bound_claims": {
"groups": [
"whynot-design"
]
},
"groups_claim": "groups",
"policies": "workload-kv-read-whynot-design-npm-publish",
"role_type": "oidc",
"ttl": "15m",
"user_claim": "sub"
}
JSON
bao write auth/netkingdom/role/whynot-design-workload-kv-read @"$role_payload_file"
```
The OpenBao Web UI console may treat `bound_claims={...}` as a string. Use a
raw JSON/API role editor when staying in the UI, or use the shell form above.
## Non-Secret Reads
These commands should succeed from an operator-capable identity and do not print