I’m trying to set up ssh ca public key signing. And I need the user name to be set as principal. I tried to enable templates for allowed_users with allowed_users_template: true but I only get error messages. Any help appreciated.
(it works without templates)
To reproduce:
vault write ssh-client-signer/roles/test -<<EOH
{
“allow_user_certificates”: true,
“allowed_users”: “root,{{identity.entity.metadata.shortname}}”,
“allowed_users_template”: true,
“allowed_extensions”: “”,
“default_extensions”: [
{
“permit-pty”: “”
}
],
“key_type”: “ca”,
“ttl”: “30m0s”
}
EOH
Success! Data written to: ssh-client-signer/roles/test
vault write -field=signed_key ssh-client-signer/sign/test public_key=@.ssh/alice-key.pub valid_principals=alice > .ssh/alice-signed-key.pub
Error writing data to ssh-client-signer/sign/test: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/ssh-client-signer/sign/test
Code: 400. Errors:
alice is not a valid value for valid_principals
vault write ssh-client-signer/roles/test -<<EOH
{
“allow_user_certificates”: true,
“allowed_users”: “{{identity.entity.metadata.shortname}}”,
“allowed_users_template”: true,
“allowed_extensions”: “”,
“default_extensions”: [
{
“permit-pty”: “”
}
],
“key_type”: “ca”,
“ttl”: “30m0s”
}
EOH
Success! Data written to: ssh-client-signer/roles/test
vault write -field=signed_key ssh-client-signer/sign/test public_key=@.ssh/alice-key.pub valid_principals=alice > .ssh/alice-signed-key.pub
Error writing data to ssh-client-signer/sign/test: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/ssh-client-signer/sign/test
Code: 400. Errors:
There looks to be a fix/improvement for templated users in SSH configs within Vault 1.9.0. I would suggest trying on the current version (1.9.2) to see if your issue persists.