Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token metadata support for policy template #10460

Closed
iamlothian opened this issue Nov 26, 2020 · 2 comments
Closed

Token metadata support for policy template #10460

iamlothian opened this issue Nov 26, 2020 · 2 comments
Labels
core/policy core/token enhancement

Comments

@iamlothian
Copy link

Is your feature request related to a problem? Please describe.
I have a number of microservices that use vault to access configuration secrets, and each has an orphaned token generated for it using a specific role that defines policies for access to applications specific config secrets.

application-config-secrets

path "secret/{{token.metadata.service}}/{{token.metadata.environment}}/*" {
  capabilities = ["read"]
}

app-config

curl --location --request POST 'http:https://localhost:8200/v1/auth/token/roles/app-config' \
--header 'X-Vault-Token: s.' \
--header 'Content-Type: application/json' \
--data-raw '{
  "allowed_policies": ["default","application-config-secrets","application-credentials-storage"],
  "orphan": true,
  "renewable": false,
  "token_type": "service",
  "token_explicit_max_ttl": 0
}'

Create token Token

curl --location --request POST 'http:https://localhost:8200/v1/auth/token/create/app-config' \
--header 'X-Vault-Token: s.' \
--header 'Content-Type: application/json' \
--data-raw '{
    "ttl": "0",
    "meta": {
        "environment": "local",
        "service": "service-name"
    }
}'

Request to retrieve secret

curl --location --request GET 'http:https://localhost:8200/v1/secret/service-name/local/datasource' \
--header 'X-Vault-Token: s.'

Describe the solution you'd like
I'd like to be able to interpolate the token's metadata in my policy to simplify ACL policy management

Describe alternatives you've considered
Without this each service will require an explicit policy to limit access to it's own secrets and the solution become far less generic to manage.
@UXabre UXabre mentioned this issue Jan 11, 2021
Open
UXabre pushed a commit to UXabre/vault that referenced this issue Jan 11, 2021
Support token's metadata in template hashicorp#10460
d81a6f0
UXabre added a commit to UXabre/vault that referenced this issue Jan 11, 2021
@UXabre
Support token's metadata in template hashicorp#10460
061d719
UXabre added a commit to UXabre/vault that referenced this issue Feb 10, 2021
@UXabre
Support token's metadata in template hashicorp#10460
56e1706
UXabre added a commit to UXabre/vault that referenced this issue Feb 10, 2021
@UXabre
Support token's metadata in template hashicorp#10460
648f0d4
@ncabatoff
Copy link
Collaborator

Hi @iamlothian,

I won't rule out the possibility that we implement this at some point. In the meantime however, I think you can achieve the result you're aiming for by creating an entity and alias for each role that needs distinct policies, put the metadata into the entity, and bind the entity alias to the token role.

@ncabatoff
Copy link
Collaborator

Actually, we've discussed this more internally, and we've decided we don't want to do this. The entity-alias solution is the right way to handle this. Allowing non-entity tokens to have interpolatable metadata would complicate some of our 1.9 work. Sorry about that!

@h33p h33p mentioned this issue Mar 31, 2023
Open
This was referenced Aug 15, 2023
Closed
Closed
@UXabre UXabre mentioned this issue Apr 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/policy core/token enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@iamlothian @ncabatoff @swayne275 @hsimon-hashicorp