Vault SSH CA can't get allowed_users_template to work

I’m trying to set up ssh ca public key signing. And I need the user name to be set as principal. I tried to enable templates for allowed_users with allowed_users_template: true but I only get error messages. Any help appreciated.
(it works without templates)

To reproduce:

vault write ssh-client-signer/roles/test -<<EOH
{
“allow_user_certificates”: true,
“allowed_users”: “root,{{identity.entity.metadata.shortname}}”,
“allowed_users_template”: true,
“allowed_extensions”: “”,
“default_extensions”: [
{
“permit-pty”: “”
}
],
“key_type”: “ca”,
“ttl”: “30m0s”
}
EOH
Success! Data written to: ssh-client-signer/roles/test
vault write -field=signed_key ssh-client-signer/sign/test public_key=@.ssh/alice-key.pub valid_principals=alice > .ssh/alice-signed-key.pub
Error writing data to ssh-client-signer/sign/test: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/ssh-client-signer/sign/test
Code: 400. Errors:

  • alice is not a valid value for valid_principals

vault write ssh-client-signer/roles/test -<<EOH
{
“allow_user_certificates”: true,
“allowed_users”: “{{identity.entity.metadata.shortname}}”,
“allowed_users_template”: true,
“allowed_extensions”: “”,
“default_extensions”: [
{
“permit-pty”: “”
}
],
“key_type”: “ca”,
“ttl”: “30m0s”
}
EOH
Success! Data written to: ssh-client-signer/roles/test
vault write -field=signed_key ssh-client-signer/sign/test public_key=@.ssh/alice-key.pub valid_principals=alice > .ssh/alice-signed-key.pub
Error writing data to ssh-client-signer/sign/test: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/ssh-client-signer/sign/test
Code: 400. Errors:

  • role is not configured to allow any principals

Vault Version 1.6.1

There looks to be a fix/improvement for templated users in SSH configs within Vault 1.9.0. I would suggest trying on the current version (1.9.2) to see if your issue persists.

1 Like

Thank you very much. It was really a bug in the version I used. Switching to the new version and everything worked fine.