I try to setup secure vault host key signing.
For this I have written the following policy in vault:
path "ssh_host_signer/sign/*" {
capabilities = ["create", "update"]
required_parameters = ["cert_type", "public_key", "valid_principals"]
allowed_parameters = {
"cert_type" = ["host"],
"public_key" = [],
"valid_principals" = ["{{identity.entity.aliases.auth_cert_XXX.name}}"]
}
}
unfortunately this is not working. With valid_principals" = []
instead in the policy the Key signing works, so the problem have to be there.
I try to sign the host key like this:
vault write ssh_host_signer/sign/host cert_type=host public_key=@/etc/ssh/ssh_host_rsa_key.pub valid_principals=hostname.internal
If I get the entity_id
with $ vault token lookup
and then the enitity data, I get:
vault read identity/entity/id/__ENTITY_ID__
Key Value
--- -----
aliases [map[canonical_id:XXX creation_time:1990-XXX custom_metadata:<nil> id:XXX last_update_time:XXX local:false merged_from_canonical_ids:<nil> metadata:<nil> mount_accessor:auth_cert_XXX mount_path:auth/cert/ mount_type:cert name:hostname.internal]]
creation_time XXX
direct_group_ids []
disabled false
group_ids []
id XXX
inherited_group_ids []
last_update_time XXX
merged_entity_ids <nil>
metadata <nil>
name entity_XXX
namespace_id root
policies []
And the alias data:
vault read identity/entity-alias/id/__ALIAS_ID__
Key Value
--- -----
canonical_id XXX
creation_time XXX
custom_metadata <nil>
id XXX
last_update_time XXX
local false
merged_from_canonical_ids <nil>
metadata <nil>
mount_accessor auth_cert_XXX
mount_path auth/cert/
mount_type cert
name hostname.internal
namespace_id root
Regarding to the documentation that should work: https://developer.hashicorp.com/vault/tutorials/policies/policy-templating#create-templated-acl-policies
So why doesn't this work as described above ("valid_principals" = ["{{identity.entity.aliases.auth_cert_XXX.name}}"]
) and how could it be solved that a host can only sign its own keys?
With ACL Policy Path Templating in HashiCorp Vault, you can only leverage templating parameters within the path component of your policy. That being the very first line of your policy as shown below:
path "ssh_host_signer/sign/*" {
You are unfortunately not able to leverage ACL Policy Path Templating within the allowed_parameters
component of a Vault ACL policy as you are trying to do. To achieve your desired outcome you'd need to have a separate policy per host.
The Fine Grained Control documentation on HashiCorp's site does a good job detailing what is possible with the allowed_parameters
option.