You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
in order to get a certificate based on their current entity name, in effect requiring the caller to know their entity name and provide it, even though we would like to default to using the entity name if no valid_principal field is provided.
Describe the solution you'd like
Ideally, identity attribute templating could be supported for the default_user field the same way it is currently supported for the allowed_users field
This would allow us to configure out backend role like this:
and then have our client side tooling do the equivalent of:
vault write ssh/sign/self public_key=@id_rsa.pub
and receive back an SSH certificate with the entity's name as a principal without needing to do additional network hops to look up the current entity name or guessing configuration in the request parameters
Describe alternatives you've considered
guessing the user's entity name from the $USER in their shell (this is not always a 1:1 match or correct)
looking up the current entity's name with a combination of vault token lookup+vault read entity/id/..... calls. This adds ~2+ additional api calls to Vault, and requires all entity's to have permission to read entity information from the identity backend, which is less ideal
Additional context
This is (tangentially) related to #10946, in that #10946 requires templating support, but this is ultimately only a narrow subset of what the user's in #10946 would like
Pull request implementing this can be found here: #16351
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
We would like to configure an ssh role that issues certificates to entities based on their name by default,
i.e. if we have an SSH role configured (using the Vault SSH Role Terraform resource for the sake of example):
Currently they (or the tooling running on their behalf) need to make a call the equivalent of:
in order to get a certificate based on their current entity name, in effect requiring the caller to know their entity name and provide it, even though we would like to default to using the entity name if no
valid_principal
field is provided.Describe the solution you'd like
Ideally, identity attribute templating could be supported for the
default_user
field the same way it is currently supported for theallowed_users
fieldThis would allow us to configure out backend role like this:
and then have our client side tooling do the equivalent of:
and receive back an SSH certificate with the entity's name as a principal without needing to do additional network hops to look up the current entity name or guessing configuration in the request parameters
Describe alternatives you've considered
$USER
in their shell (this is not always a 1:1 match or correct)vault token lookup
+vault read entity/id/.....
calls. This adds ~2+ additional api calls to Vault, and requires all entity's to have permission to read entity information from the identity backend, which is less idealAdditional context
This is (tangentially) related to #10946, in that #10946 requires templating support, but this is ultimately only a narrow subset of what the user's in #10946 would like
Pull request implementing this can be found here: #16351
The text was updated successfully, but these errors were encountered: