From 24d69ff5edff12e1ab53a8fee79d21acfd98ad9e Mon Sep 17 00:00:00 2001
From: generically-named <85384565+generically-named@users.noreply.github.com>
Date: Fri, 18 Oct 2024 23:46:08 +1030
Subject: [PATCH] website/integrations: Add note regarding custom scopes in
 Hashicorp Vault OIDC documentation (#11668)

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---
 website/integrations/services/hashicorp-vault/index.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/website/integrations/services/hashicorp-vault/index.md b/website/integrations/services/hashicorp-vault/index.md
index 380b39c429..84888261e4 100644
--- a/website/integrations/services/hashicorp-vault/index.md
+++ b/website/integrations/services/hashicorp-vault/index.md
@@ -88,5 +88,8 @@ vault write auth/oidc/role/reader \
       policies="reader"
 ```
 
+:::note
+If you intend to create [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group) in Vault to manage user access the OIDC role will need to specifically request a custom scope using the `oidc_scopes` option when creating the OIDC role.
+:::
 You should then be able to sign in via OIDC
 `vault login -method=oidc role="reader"`