I would like to control ssh access to servers using Azure AD groups.
How can I use Templating to get a list of the users Groups or Polices into the allowed_users field in the ssh certificate signer?
A list of group names would be nice, eg:
I currently have oidc authentication to Azure AD, with external groups configured as per the guide here : Azure Active Directory with OIDC Auth Method and External Groups | Vault - HashiCorp Learn
What I would like to be able to do is create some Azure AD groups, such as
On each of the SSH servers, I would have something like the following:
TrustedUserCAKeys: /etc/ssh/trusted-user-ca-keys.pem AuthorizedPrincipalsFile: /etc/ssh/auth_principals/%u
ad-grp-ssh-admin-all ad-grp-ssh-admin-hostname1 ad-grp-ssh-admin-webservers
ad-grp-ssh-user-all ad-grp-ssh-user-hostname1 ad-grp-ssh-user-webservers
In theory this should allow me to control access by having the a list of groups in the ssh certificate Principals field.
eg. if a users certificate Principals field had:
- ad-grp-ssh-admin-all → They can ssh as admin to all servers
- ad-grp-ssh-admin-webservers → They can ssh as admin only to web servers
- ad-grp-ssh-admin-server1, ad-grp-ssh-admin-hostname1-> They can ssh as admin to only server1 and server2
How can I achieve this with Vault?