Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh cert signing allowed_user_templates template could not be rendered -> alias not found #10113

Closed
chomezski opened this issue Oct 8, 2020 · 2 comments
Closed

ssh cert signing allowed_user_templates template could not be rendered -> alias not found #10113

chomezski opened this issue Oct 8, 2020 · 2 comments

Comments

@chomezski
Copy link

Describe the bug
Trying to use identity template for ssh cert signing to limit principals as per #7548 but am getting an error that template cannot be rendered.

To Reproduce
Steps to reproduce the behavior:
1.

vault write ssh-client-signer/roles/adminsign -<<"EOH"
{
    "allowed_users_template": true,
    "allow_user_certificates": true,
    "allowed_users": "{{identity.entity.aliases.auth_oidc_918c7b53.name}}",
    "default_user": "",
    "allow_user_key_ids": "false",
    "default_extensions": [
        {
          "permit-pty": ""
        }
    ],
    "key_type": "ca",
    "ttl": "60m0s"
}

vault write \
-field=signed_key ssh-client-signer/sign/adminsign \
valid_principals="usera" \
public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub
Error writing data to ssh-client-signer/sign/adminsign: Error making API request.

URL: PUT https://alphaeast.keeper.test.com/v1/ssh-client-signer/sign/adminsign
Code: 400. Errors:

* template '{{identity.entity.aliases.auth_oidc_918c7b53.name}}' could not be rendered -> alias not found

Expected behavior
Expectation is that I am able to sign the certificate with only the OIDC logged in user, otherwise have an error thrown.

Environment:

  • Vault Server Version: 1.5.4+prem.hsm
  • Vault CLI Version: Vault v1.5.0
  • Server Operating System/Architecture: macos, centos7

Additional context
Identity Alias seems correct:

vault read identity/entity-alias/id/fa33ad6d-b47e-f1ba-ab06-fed41d09d5ae
Key                          Value
---                          -----
canonical_id                 3e2ef207-6b8a-1e32-8a8c-af2e87b99dd7
creation_time                2020-10-07T22:28:49.48571012Z
id                           fa33ad6d-b47e-f1ba-ab06-fed41d09d5ae
last_update_time             2020-10-07T22:28:49.48571012Z
merged_from_canonical_ids    <nil>
metadata                     map[email:usera@test.com family_name:A given_name:User sub:usera]
mount_accessor               auth_oidc_918c7b53
mount_path                   auth/oidc/
mount_type                   oidc
name                         usera
namespace_id                 TS0uy
@raskchanky raskchanky mentioned this issue Oct 8, 2020
Closed
@chomezski
Copy link
Author

my issue is resolved - problem i was having is i was using a token from the parent namespace for which i had a different mount point and i guess this the template wasnt able to render because of it

@raskchanky
Copy link
Contributor

@chomezski I'm glad you got everything sorted out. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raskchanky @chomezski