Comments (4)
Hi, you can have one dynamic policy using the Template variables
identity.entity.aliases.<mount accessor>.name
this would be your machine hostname (where <mount accessor>
is the name of the cert auth method)
But you cannot add different policy, hope it helps
from puppet-vault_lookup.
Thanks, I was hoping not to make the path itself host specific. An example would be 'host1' and 'host2' have access to /secrets/ssl_key/mysite
Anything come to mind as to this being possible? If not, I'll have to go down a different road.
from puppet-vault_lookup.
Vault 1.10 merges in PR#13348 which will populate the entity alias metadata hash with the cert extensions of the client cert.
So using cert extensions when you sign your agent cert, you should be able to set arbitrary values that you can use in vault to template with.
Though full disclosure, I haven't tried this yet since my vault instance isn't at 1.10 yet.
from puppet-vault_lookup.
I think this is possible you need access to write to the cert authenticator in vault you can then upload puppet's CA cert multiple times associating it with different policies and different sets of common names. those policies then restrict you to a particular kv path
so if you had alice_secrets and a policy puppetcert_alice_secret_access
and bob_secrets and a policy puppetcert_bob_secret _access
you then upload the puppet CA cert with vault like this:
https://www.vaultproject.io/api-docs/auth/cert
vault write auth/cert/certs/puppetcert_alice \
display_name=alice_secrets_authenticator \
policies=puppetcert_alice_secret_access \
allowed_common_name=["alice_host1.mydomain.example"", "alice_host2.mydomain.example"] \
[email protected] \
ttl=3600
vault write auth/cert/certs/puppetcert_bob \
display_name=bob_secrets_authenticator \
policies=puppetcert_bob_secret_access \
allowed_common_name=["boblhost1.mydomain.example"", "bob_host2.mydomain.example"] \
[email protected] \
ttl=3600
from puppet-vault_lookup.
Related Issues (20)
- Please release 1.1.1 with approle trailing / url fix.
- Disable Cache
- certificate failed to verify with self signed certificates HOT 1
- Server error 500 after upgrade of Puppet Enterprise 2023.5 to 2023.7
- Issue gathering multiple fields from a secret in vault HOT 1
- [Feature Request] Ability to use a list of Vault nodes HOT 3
- Specifying different login endpoint HOT 1
- Error: Failed to apply catalog: undefined method `http_ssl_instance' for Puppet::Network::HttpPool:Module HOT 2
- Update function for work with Vault secured with Letsencrypt certificates HOT 5
- Detection of what kv version the vault is should be done via a different heuristic. HOT 2
- error: "client certificate must be supplied" HOT 2
- Agent unable to connect to Vault because of cert issue HOT 4
- bolt with approle
- undefined local variable or method 'vault_role_id'
- Retreiving a field value fails. HOT 1
- Issue authenticating to Vault using AppRole method
- Can't load environment variables from /etc/sysconfig/puppet HOT 1
- Contact Vault with Self-signed CA HOT 2
- Features: Token caching and rate-limit
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-vault_lookup.