Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Per-client cert policies possible? #46

Open
Tamerz opened this issue Oct 17, 2021 · 4 comments
Open

Per-client cert policies possible? #46

Tamerz opened this issue Oct 17, 2021 · 4 comments
Labels
question Further information is requested

Comments

@Tamerz
Copy link

Tamerz commented Oct 17, 2021

I've set this module up and it seems to work as far as allowing all Puppet agents to use the same policy by setting it at the auth/cert/certs/puppetserver as documented.

Is it possible with this method to give specific agents specific policies? If so, some documentation would be appreciated.
@smortex smortex added the question Further information is requested label Oct 18, 2021
@gokuatkai
Copy link

gokuatkai commented Oct 25, 2021
edited
Loading

Hi, you can have one dynamic policy using the Template variables
identity.entity.aliases.<mount accessor>.name this would be your machine hostname (where <mount accessor> is the name of the cert auth method)

But you cannot add different policy, hope it helps

@Tamerz
Copy link
Author

Tamerz commented Dec 21, 2021

Thanks, I was hoping not to make the path itself host specific. An example would be 'host1' and 'host2' have access to /secrets/ssl_key/mysite

Anything come to mind as to this being possible? If not, I'll have to go down a different road.

@arusso
Copy link

arusso commented Jun 3, 2022

Vault 1.10 merges in PR#13348 which will populate the entity alias metadata hash with the cert extensions of the client cert.

So using cert extensions when you sign your agent cert, you should be able to set arbitrary values that you can use in vault to template with.

Though full disclosure, I haven't tried this yet since my vault instance isn't at 1.10 yet.

@firstnevyn
Copy link
Contributor

firstnevyn commented Aug 8, 2022
edited
Loading

I think this is possible you need access to write to the cert authenticator in vault you can then upload puppet's CA cert multiple times associating it with different policies and different sets of common names. those policies then restrict you to a particular kv path

so if you had alice_secrets and a policy puppetcert_alice_secret_access
and bob_secrets and a policy puppetcert_bob_secret _access

you then upload the puppet CA cert with vault like this:
https://www.vaultproject.io/api-docs/auth/cert

vault write auth/cert/certs/puppetcert_alice \
    display_name=alice_secrets_authenticator \
    policies=puppetcert_alice_secret_access \
    allowed_common_name=["alice_host1.mydomain.example"", "alice_host2.mydomain.example"] \
    certificate=@puppetca.cert \
    ttl=3600

vault write auth/cert/certs/puppetcert_bob \
    display_name=bob_secrets_authenticator \
    policies=puppetcert_bob_secret_access \
    allowed_common_name=["boblhost1.mydomain.example"", "bob_host2.mydomain.example"] \
    certificate=@puppetca.cert \
    ttl=3600

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@smortex @firstnevyn @Tamerz @arusso @gokuatkai