Templates in policy parameter constraints
368 views
Skip to first unread message
tobt...@gmail.com
Jan 14, 2019, 12:46:37 PM1/14/19
to Vault
Hello,
is it somehow possible to use template IDs within parameter contraints in policy files? So to do something like:
ie an account with this policy attached is able to add items to secret/foo, but it must supply its own entity name for the parameter "bar".
is it somehow possible to use template IDs within parameter contraints in policy files? So to do something like:
path "secret/foo" {
capabilities = ["create"]
allowed_parameters = {
"bar" = [{{identity.entity.name}}] }
}
ie an account with this policy attached is able to add items to secret/foo, but it must supply its own entity name for the parameter "bar".
The actual goal is to have a policy for multiple machines A, B, C, which are allowed to request certificates via pki/issue, but only for their own hostname. So machine A should be able to request a certificate for CN=A, but not for CN=B. Of course I could create a separate PKI role for each machine (https://www.vaultproject.io/api/secret/pki/index.html#create-update-role), with allowed_domains set to the corresponding hostname. But creating hundreds of PKI roles for each machine is kind of a nuisance... Instead I'd like to use a policy template or something similar to restrict the common_name parameter of the requests.
Chris Hoffman
Jan 17, 2019, 9:57:50 AM1/17/19
to Vault
I'm not entirely sure if this will work in the PKI context, meaning that using allowed parameters with common_name will work but you will be able to use the templates in the policy parameter blocks. The template engine treats each path statement as a dumb string and does the replacements. So it should be possible to do the replacements based on your example policy above.
Chris
tobt...@gmail.com
Jan 17, 2019, 1:33:36 PM1/17/19
to Vault
Hello,
that would be great if the template engine just replaces the variables. But my tests show that the example policy above is not accepted and instead an error is thrown: "error while trying to parse object within list: At 3:36: expected: IDENT | STRING got: LBRACE"
When I enclose {{identity.entity.name}} in quotes the policy is accepted by Vault, but as it seems the variable doesn't get replaced:
"vault write secret/foo bar=entity_example" fails with permission denied
"vault write secret/foo bar={{identity.entity.name}}" succeeds, but is of course not what anyone would want.
"vault write secret/foo bar=entity_example" fails with permission denied
"vault write secret/foo bar={{identity.entity.name}}" succeeds, but is of course not what anyone would want.
Does your Vault behave differently?
Jeff Mitchell
Jan 17, 2019, 1:54:03 PM1/17/19
to Vault
Hi,
This is only supported for paths.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7468a0d0-3f8e-4097-8712-b46a4ff75951%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
tobt...@gmail.com
Jan 18, 2019, 4:47:29 AM1/18/19
to Vault
Hello Jeff,
thank you for the confirmation.
It would be great if in future versions the template engine replaced the template variables everywhere in the policy, not just within the path.
Reply all
Reply to author
Forward
0 new messages