Giter VIP home page Giter VIP logo

Comments (4)

gokuatkai avatar gokuatkai commented on September 24, 2024 1

Hi, you can have one dynamic policy using the Template variables
identity.entity.aliases.<mount accessor>.name this would be your machine hostname (where <mount accessor> is the name of the cert auth method)

But you cannot add different policy, hope it helps

from puppet-vault_lookup.

Tamerz avatar Tamerz commented on September 24, 2024

Thanks, I was hoping not to make the path itself host specific. An example would be 'host1' and 'host2' have access to /secrets/ssl_key/mysite

Anything come to mind as to this being possible? If not, I'll have to go down a different road.

from puppet-vault_lookup.

arusso avatar arusso commented on September 24, 2024

Vault 1.10 merges in PR#13348 which will populate the entity alias metadata hash with the cert extensions of the client cert.

So using cert extensions when you sign your agent cert, you should be able to set arbitrary values that you can use in vault to template with.

Though full disclosure, I haven't tried this yet since my vault instance isn't at 1.10 yet.

from puppet-vault_lookup.

firstnevyn avatar firstnevyn commented on September 24, 2024

I think this is possible you need access to write to the cert authenticator in vault you can then upload puppet's CA cert multiple times associating it with different policies and different sets of common names. those policies then restrict you to a particular kv path

so if you had alice_secrets and a policy puppetcert_alice_secret_access
and bob_secrets and a policy puppetcert_bob_secret _access

you then upload the puppet CA cert with vault like this:
https://www.vaultproject.io/api-docs/auth/cert

vault write auth/cert/certs/puppetcert_alice \
    display_name=alice_secrets_authenticator \
    policies=puppetcert_alice_secret_access \
    allowed_common_name=["alice_host1.mydomain.example"", "alice_host2.mydomain.example"] \
    [email protected] \
    ttl=3600

vault write auth/cert/certs/puppetcert_bob \
    display_name=bob_secrets_authenticator \
    policies=puppetcert_bob_secret_access \
    allowed_common_name=["boblhost1.mydomain.example"", "bob_host2.mydomain.example"] \
    [email protected] \
    ttl=3600

from puppet-vault_lookup.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.