Signed SSH Certificates

I followed the documentation: Signed SSH Certificates - SSH - Secrets Engines | Vault by HashiCorp

for several users, shoud we create a role per user?

Thank you for your answers

I’m about to walk that path Alain… So this might be wrong but here is how I see it.

  1. Create a role per use case or so. Should be a handful at most.
  2. For a given role, say “linux_admin”, create a Vault policy and assign that policy to whoever qualifies as a “linux_admin” to you. That policy allows whoever has it to call the ssh-client-signer/sign/my-role endpoint
  3. For example, if your Linux administrator logs in Vault through the LDAP mount backend, assign the “can_issue_ssh_cert” to them via LDAP group membership.