New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH Secrets engine: allowed_users templating strict regex #10388
Labels
Comments
A (rather stupid) workaround if you can choose the username freely:
It works because the regex checks for |
phihos
added a commit
to phihos/vault
that referenced
this issue
Feb 10, 2021
phihos
added a commit
to phihos/vault
that referenced
this issue
Mar 5, 2021
phihos
added a commit
to phihos/vault
that referenced
this issue
Mar 5, 2021
phihos
added a commit
to phihos/vault
that referenced
this issue
Oct 17, 2021
pmmukh
pushed a commit
that referenced
this issue
Oct 19, 2021
) * Let allowed_users template mix templated and non-templated parts (#10388) * Add documentation * Change test function names * Add documentation * Add changelog entry
Fixed by #10886 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Hi, reading the documentation on the SSH secrets engine, we can leverage identity templating in the allowed_users part : https://www.vaultproject.io/api-docs/secret/ssh#allowed_users_template
After testing it, it turns out the templating detection uses a pretty strict regexp
vault/builtin/logical/ssh/path_sign.go
Line 224 in 3abc7ee
The surrounding
^$
makes it so that I can't use templating in the middle of the principal.Concrete examples:
This is valid and will perform as expected:
This is valid, but will not apply templating (and Vault will expect the exact value to be a valid principal)
Describe the solution you'd like
I believe the strict regexp was useful when the
allowed_users_template
did not exist in the initial PR #7548 but operators have to explicitly opt in to the templating now.I would like to relax the regexp so that I can use the feature more flexibly.
This would fit my expectations of how templating works in other parts of Vault, for example paths in policies where the templating can be anywhere https://www.vaultproject.io/docs/concepts/policies#templated-policies
Describe alternatives you've considered
Documentation on the values where the templating actually happens could be a compromise if we won't relax the regexp.
Explain any additional use-cases
My current system uses more information than the username as a principal to identify connecting users (for example, you could differentiate users from service accounts). In this case, having surrounding info on the principal can be useful.
Additional context
Original PR #7548
Thanks,
The text was updated successfully, but these errors were encountered: