SSH secrets provider and identity templating

I’ve been experimenting with using Vault’s SSH CA functionality to generate ephemeral SSH certificates for use with my home lab. I’ve been able to successfully implement a basic configuration that allows me to sign keys and use those keys to authenticate to an appropriately-configured linux instance.

Now I’m trying to take my configuration to the next level, by implementing a policy like what I might see in a multi-user environment. Specifically what I’ve attempted to do is configure the policy to leverage the allowed users template with parameters associated with the user profile. Right now I have Allowed users set to {{ identity.entity.metadata.shortname }}, with the “Allowed users template” option checked.

When I look at my entity, I can confirm that there is a shortname metadata field with a defined value (which is also confirmed by running vault token lookup), but when I try to have vault sign a certificate with that shortname set as a “valid principal” I receive an error saying that <shortname-value> is not a valid value for valid_principals.

Can anyone offer any breadcrumbs for what I might be doing wrong here? From what I’ve been able to glean from other posts on the interwebs my configuration should be possible, but for whatever reason I can’t get it to work for me.

(Running vault 1.7.2 in case it matters.)

There seems to be a bug related to this but I’m not sure it’s quite the issue you’re experiencing. Perhaps it’ll offer some useful insight regardless.

Son of a … Thanks. That gave me exactly the breadcrumb I needed. Turns out I was bitten by the fact that the UI allows me to enter "{{ identity.entity.metadata.shortname }}", but that won’t result in the parameter actually being expanded. Changing the value to {{ identity.entity.metadata.shortname }} (without the quotes) yields the expected behavior.

That’s what I get for using the UI I guess…should have stuck with the CLI-based config.

1 Like