Add custom metadata to Vault from ServiceAccount annotations #85
Comments
|
Yeah, I would very much appreciate to have this feature, it sounds like a logical thing to have actually seeing how you can annotate everything in Kubernetes anyway. This would enable us to organize our secrets and their access control based on an existing k8s structure. In my case I would like to define a secret as |
|
I also have a use case for this feature as we're using the Kubernetes auth method and would like to take advantage of templated policies being defined ahead of time using a structured path that would require more metadata than just |
|
Would still want this. Right now I'm creating a role and policy for each end user that needs to access part of the path, but it is a pain to manage. |
|
I also have a need for this. 1700 policies and counting |
|
+1 for this feature. |
|
+1 for this feature. it's a pain to edit manually entities |
|
+1 for this, would give us amazing flexibility with templated policies |
|
+1 Same situation in my environment, this will save a lot of manual work and make ACL Template super strong |
Addresses hashicorp#85 We are introducing another roundtrip to the Kubernetes API to lookup the service account itself and read annotations prefixed with 'vault.hashicorp.com/auth-metadata/'. This will enable us to template Vault policies based on arbitrary service attributes, like fully qualified service name.
Addresses hashicorp#85 We took Mark's proposed design and added support for defining annotations on service accounts that can later on be used in policy templating. ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: example-account namespace: default annotations: vault.hashicorp.com/auth-metadata/service-role: example-value ``` Should allow us to use in policies as so ``` {{identity.entity.aliases.${vault_auth_backend.kubernetes.accessor}.metadata.service_role}} ``` The change is behind a config flag called `enable_custom_metadata_from_annotations` so it should not affect any of the existing integrations. In order to enable the flag users will have to update the clusterrole and allow Vault to read service accounts. If this change is accepted we'll open PRs to update various docs, terraform providers, etc. This will al so introduce another roundtrip to the Kubernetes API, however we are using a pooled tcp client so hopefully not too many new open connections.
|
As linked above, we at Monzo have started a PR implementing the feature discussed here. Note that Kubernetes does not allow more than one level of |
|
Just cam across this thread today. I would also love to have this feature of course. But in the meantime - for anyone that's interested - I can show you how I manage hundreds of services with just 1 policy. The policy is does not need to be updated for any new service. This can be achieved by using ACL Policy Path Templating. So all of my hundreds of services are managed with just this policy: |
|
Thanks for sharing @gkid and I'm glad this workaround worked for you in this use-case. Unfortunately for PKI signing paths rather than secret storage paths, just the |
|
news on this? |
Addresses hashicorp#85 We took Mark's proposed design and added support for defining annotations on service accounts that can later on be used in policy templating. ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: example-account namespace: default annotations: vault.hashicorp.com/auth-metadata/service-role: example-value ``` Should allow us to use in policies as so ``` {{identity.entity.aliases.${vault_auth_backend.kubernetes.accessor}.metadata.service_role}} ``` The change is behind a config flag called `enable_custom_metadata_from_annotations` so it should not affect any of the existing integrations. In order to enable the flag users will have to update the clusterrole and allow Vault to read service accounts. If this change is accepted we'll open PRs to update various docs, terraform providers, etc. This will al so introduce another roundtrip to the Kubernetes API, however we are using a pooled tcp client so hopefully not too many new open connections.
Addresses hashicorp#85 We took Mark's proposed design and added support for defining annotations on service accounts that can later on be used in policy templating. ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: example-account namespace: default annotations: vault.hashicorp.com/auth-metadata/service-role: example-value ``` Should allow us to use in policies as so ``` {{identity.entity.aliases.${vault_auth_backend.kubernetes.accessor}.metadata.service_role}} ``` The change is behind a config flag called `enable_custom_metadata_from_annotations` so it should not affect any of the existing integrations. In order to enable the flag users will have to update the clusterrole and allow Vault to read service accounts. If this change is accepted we'll open PRs to update various docs, terraform providers, etc. This will al so introduce another roundtrip to the Kubernetes API, however we are using a pooled tcp client so hopefully not too many new open connections.
|
I’d also like to comment here as an up vote on this feature. Looks like the work has been completed in a forked repo. Same issue as everyone else. We wish to use custom metadata to enhance templated policies. But we need to create the entity alias ahead of time for that to work. Sometimes the service account doesn’t exist yet, which means we have to use name instead of UID for the alias name, which could create a name conflict. |
Hi @gkid, thank you for sharing this. Did you ever had the requirement to extended this as well with the dimension of auth method name. So you have n-kubernetes-clusters each have it's own authenication method. Your secrets path is constructed lik this: secrets/data//services// ? |
We would like to create policy rules that use custom entity/alias metadata and have this metadata be supplied from Kubernetes annotations on the ServiceAccount.
The way I envision this working is, if you have a ServiceAccount with annotations such as:
Then the auth plugin adds following metadata to the entity/alias:
We could then create a templated policy document (in Terraform) such as:
And with this policy in place, the ServiceAccount would have access to any secret under:
Currently, we would have to manually edit entity/alias metadata to achieve this at which point we might as well create per-service-account policies which we would really like to avoid doing.
What are your thoughts on this? I would gladly submit a PR.
I'm thinking what would be necessary is to make an extra request to get the annotations for a given service account, parse them, and pass them to Vault in this code block: https://github.com/hashicorp/vault-plugin-auth-kubernetes/blob/master/path_login.go#L112-L133. Extra RBAC permissions would be required for the JWT reviewer service account too.
The text was updated successfully, but these errors were encountered: