You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+62-4Lines changed: 62 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,6 +15,7 @@ Currently using [OpenBao](https://openbao.org) and [OpenTofu](https://opentofu.o
15
15
|[OpenTofu](https://opentofu.org/docs/intro/install/)| 1.8.0 |`tofu` must be on `$PATH`|
16
16
|[Podman](https://podman.io/docs/installation)| 4.0 |`podman` must be on `$PATH`|
17
17
|[podman-compose](https://github.com/containers/podman-compose)| 1.0 |`podman compose` plugin or `podman-compose`|
18
+
|[Python](https://python.org)| 3.12+ |`python` must be on `$PATH`|
18
19
| Linux kernel | — |`IPC_LOCK` for mlock; set `disable_mlock = true` if unavailable (some WSL2 setups) |
19
20
20
21
The Vault/OpenBao CLI is **not** required on the host — `tofu output` prints ready-to-run `init` and `unseal` commands. If you do have the CLI installed, set `VAULT_CACERT` to the generated CA path.
@@ -560,7 +561,7 @@ Navigate to `https://127.0.0.1:8444/admin` and log in with your admin credential
560
561
561
562
1. With the `vault` client open, click the **Client scopes** tab
562
563
2. Click the link named **`vault-dedicated`** (the first row, type will show as *Dedicated*)
563
-
3. Click **Add mapper** → **By configuration**
564
+
3. Click **Add mapper** → **Configure a New Mapper**
564
565
4. Click **Group Membership**
565
566
5. Set **Name** to `groups`
566
567
6. Set **Token Claim Name** to `groups`
@@ -599,7 +600,7 @@ Navigate to `https://127.0.0.1:8444/admin` and log in with your admin credential
599
600
600
601
1. Click the **Client scopes** tab
601
602
2. Click **`agent-cli-dedicated`**
602
-
3. Click **Add mapper** → **By configuration**
603
+
3. Click **Add mapper** → **Configure a new Mapper**
603
604
4. Click **Group Membership**
604
605
5. Set **Name** to `groups`
605
606
6. Set **Token Claim Name** to `groups`
@@ -610,7 +611,55 @@ Navigate to `https://127.0.0.1:8444/admin` and log in with your admin credential
610
611
611
612
---
612
613
613
-
Once this is done you can verify the mapper is working before touching OpenBao — log in as your operator user and decode the resulting access token at `https://jwt.io` to confirm the `groups` claim contains `vault-operators`.
614
+
Once this is done, verify the mapper before touching OpenBao (using the correct client token):
615
+
616
+
1. In Keycloak admin, open **Clients** -> **vault** -> **Client scopes** -> **Evaluate**
617
+
2. Select user **operator** and click **Generated access token**
618
+
3. Keycloak shows the decoded JSON payload directly — confirm it includes `"groups": ["vault-operators"]`
619
+
4. Repeat for **Clients** -> **agent-cli** -> **Client scopes** -> **Evaluate**, selecting the same **operator** user
620
+
621
+
If `groups` is still missing, troubleshoot in this order:
This command ensures both the agent AppRole and the database roles are enabled in Vault. Both variables must be set to `true` when deploying the agentic layer.
0 commit comments