Hi All,
I would like to control ssh access to servers using Azure AD groups.
How can I use Templating to get a list of the users Groups or Polices into the allowed_users field in the ssh certificate signer?
A list of group names would be nice, eg:
“allowed_users”: “{{identity.entity.groups.names}}”,
“allowed_users_template”: true
I currently have oidc authentication to Azure AD, with external groups configured as per the guide here : Azure Active Directory with OIDC Auth Method and External Groups | Vault - HashiCorp Learn
What I would like to be able to do is create some Azure AD groups, such as
- ad-grp-ssh-admin-all
- ad-grp-ssh-admin-server1
- ad-grp-ssh-admin-server2
- ad-grp-ssh-admin-webservers
- ad-grp-ssh-user-all
- ad-grp-ssh-user-server1
- ad-grp-ssh-user-server2
- ad-grp-ssh-user-webservers
On each of the SSH servers, I would have something like the following:
sshd_config:
TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pem
AuthorizedPrincipalsFile: /etc/ssh/auth_principals/%u
/etc/ssh/auth_principals/admin:
ad-grp-ssh-admin-all
ad-grp-ssh-admin-hostname1
ad-grp-ssh-admin-webservers
/etc/ssh/auth_principals/user:
ad-grp-ssh-user-all
ad-grp-ssh-user-hostname1
ad-grp-ssh-user-webservers
In theory this should allow me to control access by having the a list of groups in the ssh certificate Principals field.
eg. if a users certificate Principals field had:
- ad-grp-ssh-admin-all → They can ssh as admin to all servers
- ad-grp-ssh-admin-webservers → They can ssh as admin only to web servers
- ad-grp-ssh-admin-server1, ad-grp-ssh-admin-hostname1-> They can ssh as admin to only server1 and server2
How can I achieve this with Vault?