Add ability to log in with specific policies #261
Comments
|
I was thinking about this over the weekend, and realized that maybe taking multiple policies would be good, not just one! Probably very similarly implemented, but just noting that people can pass in multiple now, so might be good to support that. |
mikenomitch
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi from the Nomad team 👋
Context
Nomad is enabling logging into Vault using JWT auth. Our current setup involves creating a JWT Role that maps to a Policy and then Nomad admins can set a default role on each cluster and jobspec authors can override the default role.
This should generally work and with templated policies, most new users should be able to create pretty simple setups assuming they structure their secrets in an idiomatic way.
Unfortunately, existing users are used to passing in a "policy" value into their Nomad jobspec that then gets threaded thru to a token creation call for that specific policy. (This relies on Nomad having a very powerful and long lived token, so we'd like to get rid of this option for a variety of reasons) - Existing Nomad users might have a bunch of one-off Vault Policies created for each Nomad job, and we'd like to give them some reasonable way to point to these policies from Nomad with JWT Auth. Right now they would have to go and create a role for each policy and then log in with that, which isn't an ideal experience.
Proposals
I was wondering if one of two options is possible. I haven't thought through either in depth:
"nomad-${identity.metadata.jobname}"or something like that.Thoughts on either option? Is there some other way to achieve this that currently exists? Being able to specify a policy in a JWT and get it without creating a new role for it. FWIW, I think the second option is the preferable option both for Nomad & Vault.
The text was updated successfully, but these errors were encountered: