-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using identity metadata in token roles #27
Comments
@davidcorrigan714 AFAIK the plugin does not current support what you suggest. This is an excellent feature to add though. We will add this to our backlog. |
Sounds good, mostly making sure I hadn't missed anything in the configuration. I think I'll have time to work on this later this quarter myself as it's something we were prototyping with a stand-alone service before deciding to stand up Vault. Happy to collaborate to make sure it meets code standards and makes sense with how you all would want it to work so that our work can be upstreamed. |
@davidcorrigan714 Sounds good. When you're ready to contribute, the process is pretty standard so please open a PR and we can work through any comments, feedback, etc. |
The ability to do this would depend on username |
@TJM not quite sure what you're getting at, have an example of what you have in mind? I just hacked together a proof-of-concept to play with the idea it seemed to work, though maybe not as fine-grained as I might like as far as the policy or configuration which might be what you're getting at. I created a path at /user/* where it takes the path and issues a token for the user, like so:
I created a policy:
I then added the OIDC provider to log me in through the corporate SSO, which aligns with our federated user names into Artifactory, so I could get a token for myself from artifactory/user/[email protected] but not artifactory/user/[email protected] . |
Hah, see I was trying to make it more difficult. I was looking at creating a role, for example named "my-account" ... which would lookup the user identity (somehow) and then use the username during the b.CreateToken process... you are creating a new path with the username in it... nice. |
Initial PR for feedback: #113 |
We're looking to get this setup in the next few weeks, though I've played with in the past. I'm trying to figure out how I might allow users to authenticate to Vault and then get an API token through Vault for their specific account in Artifactory. For example some templated policy like:
That would allow users to use their authenticated identity in Vault to get an API token for JFrog for their account. Is this doable somehow? The way the roles path is structured now it looks like I could only map devs to some shared role and not their exact identity in Artifactory.
The text was updated successfully, but these errors were encountered: