aclhashicorp-vaultvaulthashicorp

Hashicorp Vault ACL Policy Templating / for Vault host key signing


I try to setup secure vault host key signing.

For this I have written the following policy in vault:

path "ssh_host_signer/sign/*" {
  capabilities = ["create", "update"]
  required_parameters = ["cert_type", "public_key", "valid_principals"]
  allowed_parameters = {
    "cert_type" = ["host"],
    "public_key" = [],
    "valid_principals" = ["{{identity.entity.aliases.auth_cert_XXX.name}}"]
  }
}

unfortunately this is not working. With valid_principals" = [] instead in the policy the Key signing works, so the problem have to be there.

I try to sign the host key like this:

vault write ssh_host_signer/sign/host cert_type=host public_key=@/etc/ssh/ssh_host_rsa_key.pub valid_principals=hostname.internal

If I get the entity_id with $ vault token lookup and then the enitity data, I get:

vault read identity/entity/id/__ENTITY_ID__

Key                    Value
---                    -----
aliases                [map[canonical_id:XXX creation_time:1990-XXX custom_metadata:<nil> id:XXX last_update_time:XXX local:false merged_from_canonical_ids:<nil> metadata:<nil> mount_accessor:auth_cert_XXX mount_path:auth/cert/ mount_type:cert name:hostname.internal]]
creation_time          XXX
direct_group_ids       []
disabled               false
group_ids              []
id                     XXX
inherited_group_ids    []
last_update_time       XXX
merged_entity_ids      <nil>
metadata               <nil>
name                   entity_XXX
namespace_id           root
policies               []

And the alias data:

vault read identity/entity-alias/id/__ALIAS_ID__

Key                          Value
---                          -----
canonical_id                 XXX
creation_time                XXX
custom_metadata              <nil>
id                           XXX
last_update_time             XXX
local                        false
merged_from_canonical_ids    <nil>
metadata                     <nil>
mount_accessor               auth_cert_XXX
mount_path                   auth/cert/
mount_type                   cert
name                         hostname.internal
namespace_id                 root

Regarding to the documentation that should work: https://developer.hashicorp.com/vault/tutorials/policies/policy-templating#create-templated-acl-policies

So why doesn't this work as described above ("valid_principals" = ["{{identity.entity.aliases.auth_cert_XXX.name}}"]) and how could it be solved that a host can only sign its own keys?


Solution

  • With ACL Policy Path Templating in HashiCorp Vault, you can only leverage templating parameters within the path component of your policy. That being the very first line of your policy as shown below:

    path "ssh_host_signer/sign/*" {
    

    You are unfortunately not able to leverage ACL Policy Path Templating within the allowed_parameters component of a Vault ACL policy as you are trying to do. To achieve your desired outcome you'd need to have a separate policy per host.

    The Fine Grained Control documentation on HashiCorp's site does a good job detailing what is possible with the allowed_parameters option.