Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add approle metadata to identity alias #8128

Closed
lcgkm opened this issue Jan 10, 2020 · 4 comments · Fixed by #9529
Closed

Add approle metadata to identity alias #8128

lcgkm opened this issue Jan 10, 2020 · 4 comments · Fixed by #9529
Labels
core/identity enhancement

Comments

@lcgkm
Copy link

lcgkm commented Jan 10, 2020

Could we allows for writing identity token templates that include attribute:[role_name]?
(And including this attribute in path templates)
If Vault can add AppRole's role name to entity alias metadata, and then we can reference Entity metadata in our ACL templates directly.

Reference:
#7985
#2985
#5916
@cfarrend
Copy link

We have worked around this by going to the entity associated with the alias after creating the AppRole and using the metadata from there

image

Then we can apply the policy

path "secret/data/github/deploy-keys/write/{{identity.entity.metadata.repo_name}}" {
  capabilities = ["read"]
}

Not sure if this is related to your issue @lcgkm ?

@lcgkm
Copy link
Author

lcgkm commented Feb 20, 2020
edited
Loading

Hi @cfarrend ,
Yes, it is related to my issue. But I don't want to add approle metadata to identity alias manually.
As I know, when we login to Vault using AppRole, the identity and identity alias will be generated automatically.
Please check this: #7985

@cfarrend
Copy link

@lcgkm completely agree, we don't want to do it either.

We still need some method of automating this process for the time being as we are pursuing this path for policies that grant access to secrets based on an AppRole name.

The solution we are currently using is as follows:

For new AppRoles (using the CLI):

  1. Create the AppRole
  2. Get the role_id by using vault read -field=role_id auth/approle/role/<role_name>/role-id
  3. Get the secret_id by using vault write -field=secret_id -f auth/approle/role/<role_name>/secret-id
  4. Use vault login for the AppRole ID and Secret ID (this step creates the entity - required)
  5. Get the entity_id by using vault write -field=id identity/lookup/entity alias_name=<role_id> alias_mount_accessor=<> where alias_mount_accessor is the ID of your AppRole authentication method (from the Auth Methods section in Vault)
  6. Write the metadata to the entity by using vault write identity/entity/id/<entity_id>/ metadata=approle_name=<role_name> - you can now use a policy similar to the one described above

For existing AppRoles:
Do steps 5 & 6

@lcgkm
Copy link
Author

lcgkm commented Feb 24, 2020

@cfarrend Agree!
The step 4 is very important. It split the whole provisioning workflow.

@endocrimes endocrimes mentioned this issue Jul 20, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/identity enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

approle: Include role_name in alias metadata
3 participants
@michelvocks @lcgkm @cfarrend