feat(vault-jwt): allow specifying the vault jwt token directly #436
Conversation
There was a problem hiding this comment.
Not a vault expert at all. But as far as I understand the the workspace scoped secrets need to be pre created in vault. How would one do that.
In other words, I agree with use case to provide workspace only secrets access but is concerned if it makes the config difficult on the vault side. How would one provision these secrets? For what type of secrets this is most useful for.
Thanks.
one option is for someone with permission to create at the correct path would have to create them with the relevant command, an admin user with their "access everything" policy e.g. for kv, it would be something like but more likely, the workspace user would generate a secret inside the workspace, and save it to vault (by running the above command in the workspace), and then it can never be retrieved from outside policy could be created for allowing anyone access as long as they are accessing using a specific coder template additionally, one of the scenarios im considering is an admin user who only has admin access from inside coder. policies granting full access to whatever, but only when authenticated with a specific mount/role, theres no specific secret, more just any and all secrets something similar i already have set up, is that a specific k8s service account in the another example of how this could be useful is allow you to use vault to generate k8s keys or aws access keys, but you can only do it from a trustworthy environment, you must be using template X
additionally, this is just one of many many ways to set it up, you could have it generate with none of the fields and just authenticate the user, link the token to the user's entity in vault, 1:1 same permissions the user has outside, same secrets but the ability to make complex policies based on data from the authentication source is exactly what you want with vault. the difficulty is sorta similar to coder templates, if you wanted to you could make it so complicated and difficult to use, or you could make it easy, that's entirely up to the person who generates the token to pass to the module, and the person who writes the policies to decide what to do
done, I added an example vault policy, as well as an example command for configuring the mount role |
|
Hi @moo-im-a-cow can you run |
|
@matifali is there a way to override an error in the "ci/pretty" job?
the |
|
Thanks. I think we need to handle this in our validation script. |
|
@mafredri, what is the best way to pass this prettier validation check? AFAIR, we did this as the plugin we are using is not able to format |
|
I have changed the syntax and code block in the readme for the Vault Policy example. I will do one last test of this module using these new blocks to make sure it works properly before Accepting |
|
I'm going to pull this locally to test it before approving this but everything is looking good now. |
vault-jwt/README.md
Outdated
| sub = "${data.coder_workspace.me.id}" | ||
| aud = "https://vault.example.com" | ||
| iat = provider::time::rfc3339_parse(plantimestamp()).unix | ||
| # exp = timeadd(timestamp(), 3600) |
There was a problem hiding this comment.
This should either be removed or have an associated comment (uncomment to ...).
There was a problem hiding this comment.
do you mean just the exp field? or the sub, aud, iat, exp fields?
(github shows you replying to 4 lines so just making sure i have the correct context)
I also realised the exp line is invalid, i'll have to update it anyway so that it gives a unix timestamp instead of text timestamp
There was a problem hiding this comment.
assuming you only meant the exp field, i've fixed it up and added a comment describing it and the pro/con of uncommenting it (making the token expire)
Co-authored-by: M Atif Ali <[email protected]>
Co-authored-by: M Atif Ali <[email protected]>
Co-authored-by: M Atif Ali <[email protected]>
Co-authored-by: Mathias Fredriksson <[email protected]>
Co-authored-by: Mathias Fredriksson <[email protected]>
Co-authored-by: Mathias Fredriksson <[email protected]>
Co-authored-by: Mathias Fredriksson <[email protected]>
|
Should be available in version |
this PR allows you to pass the desired jwt token to the vault-jwt module as a variable, for cases when you want to use a different jwt token to the one used to authenticate to vault
if not specified, it defaults to
data.coder_workspace_owner.me.oidc_access_token.