JWT auth + identity guidance
433 views
Skip to first unread message
John Wong
Sep 24, 2018, 3:33:19 PM9/24/18
to Vault
Hi
Currently I use ldap auth and app role (also app id for legacy reason) for users/apps to read secrets and get AWS STS credentials. For example, I have these Vault policies:
- marketing_team
- engineering_foo
- engineering_manager
- application_bar
With these policies:
- Bob belongs in engineering foo team. After he authenticates with ldap, he gets a Vault token with engineering_foo permissions. His STS credentials will only allow him to create EC2. He can also assume as engineering_manager for more privileged access.
- Application Bar works with S3. Every AWS call is done by reading STS credentials as application_bar.
The problem is I want user who uses application Bar interacts with S3 as himself or herself. In other words, I want the application to actually read engineering_foo when Bob logs in, and use marketing_team when Sally logs in. This way I can delegation permission checks to AWS and avoid privileged escalation bug on my end.
Since my app has JWT token, I want to use JWT auth. This is what I envisioned:
1. User logins.
2. User is asked to choose a AWS role. Sally will see marketing_team; Bob sees engineering_foo.
3. User clicks a button which does something on AWS side, e.g. create an instance.
4. Our backend then authenticate with Vault using JWT.
5. Backend gets back vault token, and backend "gets" back STS credentials.
6. AWS code is executed.
This all seems doable. But I have a few questions:
1. To use /auth/jwt/login, I need to provide a named role. What is the "bounded_subject" in step 3 of https://www.vaultproject.io/docs/auth/jwt.html (see Configuration? Is it the user who is logging in or the application (client)? In my JWT I have an email address as identifier, but the actual role to be given to JWT login API is would be the same name as engineering_foo, for example, if Bob is logging in.
2. What would the group_claims / user_claims be like? that's also not very clear to me exactly what they are.
3. The doc also mentions identity. How does JWT user/group claims used to setup aliases? Do I have to first create an entity for Bob (bob can either assume as with engineering_foo or engineering_manager permission).
The JWT/Identity thing remains a puzzle to me, and I would appreciate if someone can guide me through.
Thank you so much.
Jeff Mitchell
Sep 24, 2018, 6:32:54 PM9/24/18
to Vault
Hi there,
> 1. To use /auth/jwt/login, I need to provide a named role. What is the "bounded_subject" in step 3 of https://www.vaultproject.io/docs/auth/jwt.html (see Configuration? Is it the user who is logging in or the application (client)? In my JWT I have an email address as identifier, but the actual role to be given to JWT login API is would be the same name as engineering_foo, for example, if Bob is logging in.
It's the expected value of the 'sub' claim in the JWT.
> 2. What would the group_claims / user_claims be like? that's also not very clear to me exactly what they are.
The user claim (string) is the claim in the JWT that should be used to
uniqely identify the user. This value is then used in Identity as the
alias name for the mount. The group claim (string array) is used to
identify the groups that the user belongs to, which is used for
populating Identity groups.
> 3. The doc also mentions identity. How does JWT user/group claims used to setup aliases? Do I have to first create an entity for Bob (bob can either assume as with engineering_foo or engineering_manager permission).
You don't need to create an entity ahead of time; one will be created
if one doesn't exist/match for that combination of alias mount and
name. The next time the user logs in that name will identify them and
they will be associated with the same entity.
As for groups, the identity system does not automatically create group
aliases. We may make that toggleable in the future but it prevents
users with amazing numbers of groups (we've seen hundreds) from
automatically creating an equally amazing number of group aliases when
they log in, which often will not be desirable.
Best,
Jeff
> 1. To use /auth/jwt/login, I need to provide a named role. What is the "bounded_subject" in step 3 of https://www.vaultproject.io/docs/auth/jwt.html (see Configuration? Is it the user who is logging in or the application (client)? In my JWT I have an email address as identifier, but the actual role to be given to JWT login API is would be the same name as engineering_foo, for example, if Bob is logging in.
> 2. What would the group_claims / user_claims be like? that's also not very clear to me exactly what they are.
uniqely identify the user. This value is then used in Identity as the
alias name for the mount. The group claim (string array) is used to
identify the groups that the user belongs to, which is used for
populating Identity groups.
> 3. The doc also mentions identity. How does JWT user/group claims used to setup aliases? Do I have to first create an entity for Bob (bob can either assume as with engineering_foo or engineering_manager permission).
if one doesn't exist/match for that combination of alias mount and
name. The next time the user logs in that name will identify them and
they will be associated with the same entity.
As for groups, the identity system does not automatically create group
aliases. We may make that toggleable in the future but it prevents
users with amazing numbers of groups (we've seen hundreds) from
automatically creating an equally amazing number of group aliases when
they log in, which often will not be desirable.
Best,
Jeff
John Wong
Sep 24, 2018, 9:24:55 PM9/24/18
to Vault
Hi Jeff, thank you for the response.
> 2. What would the group_claims / user_claims be like? that's also not very clear to me exactly what they are.
The user claim (string) is the claim in the JWT that should be used to
uniqely identify the user. This value is then used in Identity as the
alias name for the mount. The group claim (string array) is used to
identify the groups that the user belongs to, which is used for
populating Identity groups.
Sorry, but why is the example in the doc presented in the form of a url? I was thinking user_claim="b...@acme.org".
> 3. The doc also mentions identity. How does JWT user/group claims used to setup aliases? Do I have to first create an entity for Bob (bob can either assume as with engineering_foo or engineering_manager permission).
You don't need to create an entity ahead of time; one will be created
if one doesn't exist/match for that combination of alias mount and
name. The next time the user logs in that name will identify them and
they will be associated with the same entity.
So does using JWT auth actually automatically create an entity for us in what you described?
I am sorry if these questions seem illogical. I just have a difficult time wrapping identity around my head. But I appreciate the help!
Matthew Irish
Sep 24, 2018, 9:41:25 PM9/24/18
to vault...@googlegroups.com
Hi John,
Any auth backend other than the token method will create implicit entities. See https://www.vaultproject.io/docs/secrets/identity/index.html#implicit-entities for the specifics on that. That page is also a good overview of Identity in vault generally.
Thanks,
Matthew
Any auth backend other than the token method will create implicit entities. See https://www.vaultproject.io/docs/secrets/identity/index.html#implicit-entities for the specifics on that. That page is also a good overview of Identity in vault generally.
Thanks,
Matthew
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/a9ae40db-2067-426f-9c04-19270c6392c3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
Sep 28, 2018, 11:27:35 AM9/28/18
to Vault
On Mon, Sep 24, 2018 at 9:24 PM John Wong <999i...@gmail.com> wrote:
> Sorry, but why is the example in the doc presented in the form of a url? I was thinking user_claim="b...@acme.org".
URLs are uniquely identifying; so are email addresses. It depends on
> Sorry, but why is the example in the doc presented in the form of a url? I was thinking user_claim="b...@acme.org".
the provider!
Best,
Jeff
Reply all
Reply to author
Forward
0 new messages