Dynamic SSH Signing Policy

rj.basore · December 21, 2022, 5:50pm

We are trying to create an SSH signing Role where the valid princpal is passed from OIDC. We have attempted a policy like this
{

“allow_user_certificates”: true,

“valid_principals”: “{{identity.entity.aliases.auth_oidc_8dc5e18f.name}}”,

“allowed_users”: “{{identity.entity.aliases.auth_oidc_8dc5e18f.name}}”,

“allowed_users_template”: true,

“allowed_extensions”: “”,

“default_extensions”: [

{

“permit-pty”: “”

}

],

“key_type”: “ca”,

“default_user”: “{{identity.entity.aliases.auth_oidc_8dc5e18f.name}}”,

“ttl”: “480m0s”

}

However it is literally passing the value {{identity.entity.aliases.auth_oidc_8dc5e18f.name}} into the policy. We have also tried it without quotes then it complains about the format.

maxb · December 21, 2022, 7:09pm

You have not specified default_user_template. Also, you have specified valid_principals despite it not being a valid parameter for SSH roles.

rj.basore · December 21, 2022, 9:25pm

Thanks so much for the response. I was able to update the role and everything started working

Topic		Replies	Views
Vault SSH CA can't get allowed_users_template to work Vault vault	2	1109	January 27, 2022
SSH secrets provider and identity templating Vault	2	1001	August 20, 2021
How to specify valid_principals when signing SSH CA host key? Vault	3	1736	October 17, 2021
HELP, I'm very confusing about Default username & Allowed user in SSH CA Vault	1	56	June 26, 2024
Dynamically create jumpcloud oidc users Vault vault	0	127	May 20, 2024

Dynamic SSH Signing Policy

Related topics