Hello,
I am trying to setup vault so that it uses OIDC jwt authentication in order to login to vault so that the JWT gets validated and returns a vault token that allow the client to decrypt one specific key linked to the jwt claims but I am failing to get it working.
I have setup a vault auth using OIDC jwt like this
vault auth enable jwt
vault write auth/jwt/config oidc_discovery_url="https://my.oidc.com/oidc"
I would like to created a policy that would allow a tenant to decrypt only it’s tenant keyring.
here it is
vault policy write tenant-only-read -<<EOF
path "tenants-keyrings/decrypt/{{identity.entity.aliases.auth_jwt_b6c97ee6.metadata.tenantId}}"
{
capabilities = ["update"]
}
EOF
notice the jwt accessor used in the mapping that is referencing the jwt auth above.
I have created a role for a given tenant
vault write auth/jwt/role/tenant-4fd42609-25ac-45B2-b21e-d2c57a59d714 -<<EOF
{
"role_type": "jwt",
"user_claim": "tenant_id",
"policies": ["tenant-only-read"],
"bound_claims": {
"tenant_id": "4fd42609-25ac-45b2-b21e-d2c57a59d714"
},
"claim_mappings": {
"tenant_id": "tenantId"
}
}
EOF
and notice the claim_mapping to keep the tenant id in the entity alias metadata.
I manage to login to vault with success which it great cause is means the jwt is valid,
but when I try to decrypt value for this tenant (using the newly provided vault token) I get a permission denied
vault write tenants-keyrings/decrypt/4fd42609-25ac-45B2-b21e-d2c57a59d714 ciphertext=vault:v1:xrSHgI23JEshy09bFLZnlc+Yde+DI7MwUu7Xu5wYpfWy9co=
Error writing data to tenants-keyrings/decrypt/4fd42609-25ac-45B2-b21e-d2c57a59d714: Error making API request.
URL: PUT http://localhost:8200/v1/tenants-keyrings/decrypt/4fd42609-25ac-45B2-b21e-d2c57a59d714
Code: 403. Errors:
* 1 error occurred:
* permission denied
When I look at the entity associated with my vault token I get this
vault read -format=json identity/entity/id/50070227-48c2-2365-eccd-80d4d6227d93
{
"request_id": "ffa760e7-0fad-66f0-53fa-31eb77373f6b",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"aliases": [
{
"canonical_id": "50070227-48c2-2365-eccd-80d4d6227d93",
"creation_time": "2021-12-04T19:16:49.173785374Z",
"custom_metadata": null,
"id": "18e3d9c9-9168-0113-d6c0-26123a031760",
"last_update_time": "2021-12-04T19:16:49.173785374Z",
"local": false,
"merged_from_canonical_ids": null,
"metadata": {
"tenantId": "4fd42609-25ac-45b2-b21e-d2c57a59d714"
},
"mount_accessor": "auth_jwt_b6c97ee6",
"mount_path": "auth/jwt/",
"mount_type": "jwt",
"name": "4fd42609-25ac-45b2-b21e-d2c57a59d714"
}
],
"creation_time": "2021-12-04T19:16:49.173773074Z",
"direct_group_ids": [],
"disabled": false,
"group_ids": [],
"id": "50070227-48c2-2365-eccd-80d4d6227d93",
"inherited_group_ids": [],
"last_update_time": "2021-12-04T19:16:49.173773074Z",
"merged_entity_ids": null,
"metadata": null,
"name": "entity_a6a593f2",
"namespace_id": "root",
"policies": []
},
"warnings": null
}
This seem to look fine to me as the identity.entity.aliases.auth_jwt_b6c97ee6.metadata.tenantId is equals to “4fd42609-25ac-45b2-b21e-d2c57a59d714” which is the required key but it not working.
Any help would be much appriciated.
SeB.
PS: I have also tried to use the {{identity.entity.aliases.auth_jwt_b6c97ee6.name}} instead but it is also failing.
PSS: replacing the {{template}} with a * works perfectly (path “tenants-keyrings/decrypt/*”)
