From 38978354bda77f2dc92f6fa34e05129cf78e71a0 Mon Sep 17 00:00:00 2001
From: George Jahad <george@georgejahad.com>
Date: Fri, 11 Oct 2024 14:34:13 -0700
Subject: [PATCH] removed unneeded reader policy

---
 app/lib/clients/vault/oidc.rb | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb
index 48eccb3..e822723 100644
--- a/app/lib/clients/vault/oidc.rb
+++ b/app/lib/clients/vault/oidc.rb
@@ -43,7 +43,6 @@ def configure_oidc_provider
 
       def configure_oidc_client(issuer, client_id, client_secret)
         create_client_config(issuer, client_id, client_secret)
-        create_default_policy_for_role
         create_default_role(client_id)
       end
 
@@ -131,18 +130,8 @@ def create_client_config(issuer, client_id, client_secret)
                                    oidc_discovery_url: issuer,
                                    oidc_client_id: client_id,
                                    oidc_client_secret: client_secret,
-                                   default_role: "reader")
+                                   default_role: "default")
       end
-
-      def create_default_policy_for_role
-        policy = <<-EOH
-              path "sys" {
-              policy = "read"
-              }
-              EOH
-        client.sys.put_policy("reader", policy)
-      end
-
       def redirect_uris
         # use localhost:8250, per: https://developer.hashicorp.com/vault/docs/auth/jwt#redirect-uris
         redirect_uris = <<-EOH
@@ -153,12 +142,12 @@ def redirect_uris
 
       def create_default_role(client_id)
         client.logical.write(
-          "auth/oidc/role/reader",
+          "auth/oidc/role/default",
           bound_audiences: client_id,
           allowed_redirect_uris: redirect_uris,
           user_claim: "email",
           oidc_scopes: "email",
-          token_policies: "reader")
+          token_policies: "default")
       end
     end
   end