-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support token.metadata.<key> in ACL templates #13715
Support token.metadata.<key> in ACL templates #13715
Conversation
We have a Vault Enterprise client that is using Sentinel for two applications. What they need to do with Sentinel is quite simple and could be done much more easily by using ACL templates if they supported injecting a token's metadata. That would be more readable than a large Sentinel script and make it much easier to onboard operators that need to make changes to those applications.
Hi Remi, We've had to say "no" to template-token-metadata requests many times I'm afraid, most recently in #10682. Excerpted:
Can you use identity metadata instead for your use case? |
Wow, indeed I completely missed this. I suppose implementing this feature like this is a no go then.
In our case we can't use entities because of the way Vault Enterprise is priced, doing this would add thousands of entities. Perhaps their could be some way to do this by adding a new field to Just like you need to be root to set In This could make this feature work, It seems to me that this could be secure, after all an application that can make changes to If you think that it's worth it to try something like that I can propose a better patch to explore things out and fix the shortcomings of this one, otherwise we can close this PR. |
Sorry for replying on an older PR but I was browsing to see if others came up with new insights in the subject. I'll go ahead and link this topic as I think it offers a similar solution as what you describe. TL;DR just as you propose, we need to "prove" the data to be authorative and not "arbitrary". |
Hey @remilapeyre , We discussed this a little more internally. Identity metadata should allow users to template ACL policies while using a unique identity for each application, service, or user that needs to authenticate to a cluster. At this time we don't want to add a new mechanism for ACL templating. |
It's not your fault, it's Hashicorp's and they don't want to admit the mistake. |
We have a Vault Enterprise client that is using Sentinel for two
applications. What they need to do with Sentinel is quite simple and
could be done much more easily by using ACL templates if they supported
injecting a token's metadata. That would be more readable than a large
Sentinel script and make it much easier to onboard operators that need
to make changes to those applications.