I’m using SSH CA from CLI and its working great, the users don’t really need to know anything of the vault internals just run some oneliner to sign their public key.
But I want them to use the vault web UI for some scenarios and I am enforcing some values in their role such as:
“valid_principals” = [“bofh”],
“allowed_users” = [“bofh”],
“allowed_critical_options” = " ",
“default_critical_options” = {
“source-adress” = “1.2.3.0/24”
}
This is totally transparent as long as they run:
vault write -field=signed_key someca/sign/ssh_sign public_key=@public.pub > public-cert.pub
When a user is going to sign their public ssh key with my CA in the web UI they need to enter lots of information manually into the web forms in the vault UI otherwise Vault UI will just think that you provide empty data for enforced options etc.
Is there a way around this?
Like having vault pre-populating “valid principal” field and “Critical options” based on whats in the role.
If I don’t enter this info into the fields it’ll just throw this error:
"Error: 1 error occurred: * permission denied "