Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow the user of identity templates in secret/ssh roles default_user field #16350

Closed
ianferguson opened this issue Jul 19, 2022 · 0 comments · Fixed by #16351
Closed

Allow the user of identity templates in secret/ssh roles default_user field #16350

ianferguson opened this issue Jul 19, 2022 · 0 comments · Fixed by #16351
Labels
cryptosec feature-request secret/ssh

Comments

@ianferguson
Copy link
Contributor

ianferguson commented Jul 19, 2022
edited
Loading

Is your feature request related to a problem? Please describe.

We would like to configure an ssh role that issues certificates to entities based on their name by default,

i.e. if we have an SSH role configured (using the Vault SSH Role Terraform resource for the sake of example):

resource "vault_ssh_secret_backend_role" "self" {
  backend = vault_mount.ssh_client.path
  name    = "self"
  key_type                = "ca"
  allowed_users           = "{{identity.entity.name}}"
  allowed_users_template  = "true"
}

Currently they (or the tooling running on their behalf) need to make a call the equivalent of:

vault write ssh/sign/self public_key=@id_rsa.pub valid_principals=ianferguson

in order to get a certificate based on their current entity name, in effect requiring the caller to know their entity name and provide it, even though we would like to default to using the entity name if no valid_principal field is provided.

Describe the solution you'd like
Ideally, identity attribute templating could be supported for the default_user field the same way it is currently supported for the allowed_users field

This would allow us to configure out backend role like this:

resource "vault_ssh_secret_backend_role" "self" {
  backend = vault_mount.ssh_client.path
  name    = "self"
  key_type                = "ca"
  default_user  = "{{identity.entity.name}}"
  default_user_template = "true"
  allowed_users           = "{{identity.entity.name}}"
  allowed_users_template  = "true"
}

and then have our client side tooling do the equivalent of:

vault write ssh/sign/self public_key=@id_rsa.pub

and receive back an SSH certificate with the entity's name as a principal without needing to do additional network hops to look up the current entity name or guessing configuration in the request parameters

Describe alternatives you've considered

  • guessing the user's entity name from the $USER in their shell (this is not always a 1:1 match or correct)
  • looking up the current entity's name with a combination of vault token lookup+vault read entity/id/..... calls. This adds ~2+ additional api calls to Vault, and requires all entity's to have permission to read entity information from the identity backend, which is less ideal

Additional context

This is (tangentially) related to #10946, in that #10946 requires templating support, but this is ultimately only a narrow subset of what the user's in #10946 would like

Pull request implementing this can be found here: #16351
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cryptosec feature-request secret/ssh
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow identity templates in ssh backend default_user field DataDog/vault
3 participants
@ianferguson @stevendpclark @austingebauer