ansible-modules-hashivault icon indicating copy to clipboard operation
ansible-modules-hashivault copied to clipboard

Published 20 hours ago verified publisher icon TerryHowe

allow configuration of JWT roles via hashivault_oidc_auth_role

Open jxsl13 opened this issue 3 years ago • 5 comments

https://github.com/TerryHowe/ansible-modules-hashivault/blob/e5f0c2e9e004bb51635e29387169a1ba286bbd7c/ansible/modules/hashivault/hashivault_oidc_auth_role.py#L182

It is possible to configure the JWT auth endpoint with hashivault_oidc_auth_method_config but not possible to configure the corresponding roles with hashivault_oidc_auth_role (it might look like it's possible but it actually does not work). As far as I can currently see, the role_type when configuring JWT roles should be set to jwt instead of oidc in order for the whole setup to properly work.

The error that vault returns for incorrectly configured JWT login attempts is: role with oidc role_type is not allowed

example shell script variant:

# create reader role
vault write auth/jwt/role/reader -<<EOF
{
  "user_claim": "sub",
  "role_type": "jwt",
  "bound_audiences": "$CLIENT_ID",
  "policies": "reader",
  "ttl": "1h",
  "groups_claim": "/resource_access/$CLIENT_ID/roles",
  "bound_claims": { "/resource_access/$CLIENT_ID/roles": ["reader"] },
  "verbose_oidc_logging": true
}
EOF

Making the role_type variable not hardcoded to oidc but only by default to that value and be also changable to jwt would allow for a full setup of the JWT auth endpoint via this ansible module.

jxsl13 avatar Jun 01 '21 10:06 jxsl13

this issue is an extension of that issue: #336

jxsl13 avatar Jun 01 '21 10:06 jxsl13

I'm running into this issue as well. Any idea if we can get this forward?

alexdepalex avatar Dec 27 '21 13:12 alexdepalex

@alexdepalex I think I was able to create a workaround w/o touching the module code: https://github.com/jxsl13/vault-test/blob/master/stages/07-configure-jwt.yaml Already forgot most of what I did there.

jxsl13 avatar Dec 27 '21 15:12 jxsl13

Thanks for that. So you're basically setting the roles with hashivault_write. I'll give that a try again because it failed earlier.

https://github.com/jxsl13/vault-test/blob/master/stages/07-configure-jwt.yaml#L59

In the meantime, I did a quick replacement in the code. That works partially since any consqeutive updates on the same role don't get applied. Would be great if we could get this fixed.

alexdepalex avatar Dec 27 '21 16:12 alexdepalex

the name of the role "hashivault_oidc_auth_role" implies this behaviour. Wouldn't it make more sense to duplicate the role as hashivault_auth_role and add the option to defile the role type?

I would be happy to make a pr. i also noticed that the module is missing some options like bound_claims_type which causes the module to currently always have a diff by default.

ceesios avatar Aug 24 '23 11:08 ceesios