I’ve been experimenting with using Vault’s SSH CA functionality to generate ephemeral SSH certificates for use with my home lab. I’ve been able to successfully implement a basic configuration that allows me to sign keys and use those keys to authenticate to an appropriately-configured linux instance.
Now I’m trying to take my configuration to the next level, by implementing a policy like what I might see in a multi-user environment. Specifically what I’ve attempted to do is configure the policy to leverage the allowed users template with parameters associated with the user profile. Right now I have Allowed users set to {{ identity.entity.metadata.shortname }}, with the “Allowed users template” option checked.
When I look at my entity, I can confirm that there is a shortname metadata field with a defined value (which is also confirmed by running vault token lookup), but when I try to have vault sign a certificate with that shortname set as a “valid principal” I receive an error saying that <shortname-value> is not a valid value for valid_principals.
Can anyone offer any breadcrumbs for what I might be doing wrong here? From what I’ve been able to glean from other posts on the interwebs my configuration should be possible, but for whatever reason I can’t get it to work for me.
Son of a … Thanks. That gave me exactly the breadcrumb I needed. Turns out I was bitten by the fact that the UI allows me to enter "{{ identity.entity.metadata.shortname }}", but that won’t result in the parameter actually being expanded. Changing the value to {{ identity.entity.metadata.shortname }} (without the quotes) yields the expected behavior.
That’s what I get for using the UI I guess…should have stuck with the CLI-based config.