SSH CA - Template list in allowed_users

Hi All,

I would like to control ssh access to servers using Azure AD groups.

How can I use Templating to get a list of the users Groups or Polices into the allowed_users field in the ssh certificate signer?

A list of group names would be nice, eg:
“allowed_users”: “{{identity.entity.groups.names}}”,
“allowed_users_template”: true

I currently have oidc authentication to Azure AD, with external groups configured as per the guide here : Azure Active Directory with OIDC Auth Method and External Groups | Vault - HashiCorp Learn

What I would like to be able to do is create some Azure AD groups, such as

  • ad-grp-ssh-admin-all
  • ad-grp-ssh-admin-server1
  • ad-grp-ssh-admin-server2
  • ad-grp-ssh-admin-webservers
  • ad-grp-ssh-user-all
  • ad-grp-ssh-user-server1
  • ad-grp-ssh-user-server2
  • ad-grp-ssh-user-webservers

On each of the SSH servers, I would have something like the following:

sshd_config:

  TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pem
  AuthorizedPrincipalsFile: /etc/ssh/auth_principals/%u

/etc/ssh/auth_principals/admin:

ad-grp-ssh-admin-all
ad-grp-ssh-admin-hostname1
ad-grp-ssh-admin-webservers

/etc/ssh/auth_principals/user:

ad-grp-ssh-user-all
ad-grp-ssh-user-hostname1
ad-grp-ssh-user-webservers

In theory this should allow me to control access by having the a list of groups in the ssh certificate Principals field.

eg. if a users certificate Principals field had:

  • ad-grp-ssh-admin-all → They can ssh as admin to all servers
  • ad-grp-ssh-admin-webservers → They can ssh as admin only to web servers
  • ad-grp-ssh-admin-server1, ad-grp-ssh-admin-hostname1-> They can ssh as admin to only server1 and server2

How can I achieve this with Vault?