Update vault.md describing how to prevent possible security vulnerability

d3471900 · Emanuele di Vizio · Marcia Ramos · 65a0a021 · d3471900
Commit d3471900 authored Mar 17, 2021 by Emanuele di Vizio Committed by Marcia Ramos Mar 17, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 8 deletions

doc/integration/vault.md doc/integration/vault.md +18 -8

No files found.
--- a/doc/integration/vault.md
+++ b/doc/integration/vault.md
@@ -76,15 +76,25 @@ The following assumes you already have Vault installed and running.
   This configuration is saved under the name of the role you are creating. In this case, we are creating a `demo` role. Later, we show how you can access this role through the Vault CLI.
+   WARNING:
+   If you're using a public GitLab instance (GitLab.com or any other instance publicly 
+   accessible), it's paramount to specify the `bound_claims` to allow access only to
+   members of your group/project. Otherwise, anyone with a public account can access
+   your Vault instance.
   ```shell
-   vault write auth/oidc/role/demo \
+   vault write auth/oidc/role/demo -<<EOF
-         user_claim="sub" \
+   {
-         allowed_redirect_uris="http://localhost:8250/oidc/callback,http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \
+      "user_claim": "sub",
-         bound_audiences="your_application_id" \
+      "allowed_redirect_uris": "your_vault_instance_redirect_uris",
-         role_type="oidc" \
+      "bound_audiences": "your_application_id",
-         oidc_scopes="openid" \
+      "oidc_scopes": "openid",
-         policies=demo \
+      "role_type": "oidc",
-         ttl=1h
+      "policies": "demo",
+      "ttl": "1h",
+      "bound_claims": { "groups": ["yourGroup/yourSubgrup"] }
+   }
+   EOF
   ```
 1. **Sign in to Vault:**