nomad icon indicating copy to clipboard operation
nomad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Workload identity : lack of usable user_claim when using Nomad namespaces and Vault entities

Open the-nando opened this issue 7 months ago • 3 comments

I'm working on migrating some clusters from the legacy Vault token based integration to the new workload identity based one.

My aim is to be able to create a single Vault entity per workload, set entity specific policies and use that in addition to the generic role's token policy.

The tutorial suggests to use "user_claim": "/nomad_job_id" and a templated Vault policy utilising the claim mapped metadata, something along the lines of:

path "secrets/data/{{identity.entity.aliases.AUTH_METHOD_ACCESSOR.metadata.nomad_namespace}}/{{identity.entity.aliases.AUTH_METHOD_ACCESSOR.metadata.nomad_job_id}}" {
  capabilities = ["read"]
}

To cater for jobs which may require additional ad-hoc policies, I want to pre-create Vault identities for workloads that will have one or more additional identity policies.
To get this to work I would use an entity-alias based on the user_claim to map it to that entity. This would allow me to setup a default token workload policy, like in the tutorial, with templated paths and for any exception I could just create a policy with the same name as the one we assign to the entity.

The problem is that the user_claim isn't unique when one uses /nomad_job_id in combination with Nomad namespace as the Job ID isn't unique within a Nomad cluster.
The implication on the Vault side is that any job by the same name will get assigned the same implied identity which is a potential security risk and that could lead to unintended access to Vault resources.

A workaround is to create a Vault JWT role per workload and configure bound_claims:

"bound_claims": {
  "nomad_namespace": "myns",
  "nomad_job_id": "myjob"
}

But this invalidates completely the features of Vault entity management. Furthermore, to my knowledge, a JWT user claim must be unique within the system. It would be perhaps better to recommend users to use "user_claim": "/sub" if they don't intend to use bound_claims.

What I would like, is to be able to use a unique claim, something like nomad_workload_id: "<namespace>:::<job_id>" which can then be leverage on the Vault side to configure entities and aliases accordingly. "/sub" wouldn't work as it contains additional details, like region/taskgroup/task/identity, which are something Vault operator may not know upfront for each job. Can such user_claim be made available?

the-nando avatar Jul 06 '24 04:07 the-nando