Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh user certificate allow_users_template not rendering #10112

Closed
chomezski opened this issue Oct 8, 2020 · 1 comment
Closed

ssh user certificate allow_users_template not rendering #10112

chomezski opened this issue Oct 8, 2020 · 1 comment

Comments

@chomezski
Copy link

Describe the bug
Trying to use identity template for ssh cert signing to limit principals as per #7548 but am getting an error that template cannot be rendered.

To Reproduce
Steps to reproduce the behavior:
1.

vault write ssh-client-signer/roles/adminsign -<<"EOH"
{
    "allowed_users_template": true,
    "allow_user_certificates": true,
    "allowed_users": "{{identity.entity.aliases.auth_oidc_918c7b53.name}}",
    "default_user": "",
    "allow_user_key_ids": "false",
    "default_extensions": [
        {
          "permit-pty": ""
        }
    ],
    "key_type": "ca",
    "ttl": "60m0s"
}

vault write \
-field=signed_key ssh-client-signer/sign/adminsign \
valid_principals="usera" \
public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub
Error writing data to ssh-client-signer/sign/adminsign: Error making API request.

URL: PUT https://alphaeast.keeper.test.com/v1/ssh-client-signer/sign/adminsign
Code: 400. Errors:

* template '{{identity.entity.aliases.auth_oidc_918c7b53.name}}' could not be rendered -> alias not found

Expected behavior
Expectation is that I am able to sign the certificate with only the OIDC logged in user, otherwise have an error thrown.

Environment:

  • Vault Server Version: 1.5.4+prem.hsm
  • Vault CLI Version: Vault v1.5.0
  • Server Operating System/Architecture: macos, centos7

Additional context
Identity Alias seems correct:

vault read identity/entity-alias/id/fa33ad6d-b47e-f1ba-ab06-fed41d09d5ae
Key                          Value
---                          -----
canonical_id                 3e2ef207-6b8a-1e32-8a8c-af2e87b99dd7
creation_time                2020-10-07T22:28:49.48571012Z
id                           fa33ad6d-b47e-f1ba-ab06-fed41d09d5ae
last_update_time             2020-10-07T22:28:49.48571012Z
merged_from_canonical_ids    <nil>
metadata                     map[email:usera@test.com family_name:A given_name:User sub:usera]
mount_accessor               auth_oidc_918c7b53
mount_path                   auth/oidc/
mount_type                   oidc
name                         usera
namespace_id                 TS0uy
@raskchanky
Copy link
Collaborator

This looks like a duplicate of #10113, closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raskchanky @chomezski