Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds vault role to JWT claims if specified in jobspec #19535

Merged
merged 1 commit into from
Dec 20, 2023
Merged

Adds vault role to JWT claims if specified in jobspec #19535

merged 1 commit into from
Dec 20, 2023

Conversation

mikenomitch
Copy link
Contributor

@mikenomitch mikenomitch commented Dec 19, 2023
edited
Loading

Adds vault_role as an attribute in the JWT if, and only if, the role is specified in the jobspec. This would allow Vault users to interpolate the Vault role in their templated policies. This could be generally useful, but was primarily added to unblock a specific customer. They have verified that this fix (including the constraint below) would unblock JWT-based Vault auth for their setup.

Ideally, we could add the role regardless of where it is specified, but since the server is minting the JWTs and the client has the default fallback auth_role values, it is difficult to insert the role into the JWT claims if it is using the fallback. There is also a potential syncing issue if you update config and then restart Nomad. To get around these issues, Vault Namespaces have the same constraint (only adding to claims if in the jobspec), so we're adding the same constraint to the role JWT claim.

@mikenomitch mikenomitch force-pushed the add-vault-role-to-jwt-claims branch from 9b5fc5b to 1d36a98 Compare December 19, 2023 22:52
@mikenomitch mikenomitch force-pushed the add-vault-role-to-jwt-claims branch from 1d36a98 to 45f3296 Compare December 19, 2023 22:58
@mikenomitch mikenomitch marked this pull request as ready for review December 19, 2023 22:58
@mikenomitch mikenomitch added the backport/1.7.x backport to 1.7.x release line label Dec 19, 2023
lgfa29
lgfa29 approved these changes Dec 20, 2023
View reviewed changes
Copy link
Contributor

@lgfa29 lgfa29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Mostly some minor suggestions, and I think we need to remove that VaultRole from WIHandle since we're not using it anymore?

.changelog/19535.txt Outdated Show resolved Hide resolved
nomad/structs/workload_id.go Outdated Show resolved Hide resolved
website/content/docs/concepts/workload-identity.mdx Outdated Show resolved Hide resolved
@mikenomitch mikenomitch self-assigned this Dec 20, 2023
@mikenomitch mikenomitch force-pushed the add-vault-role-to-jwt-claims branch from 45f3296 to 737bbb7 Compare December 20, 2023 22:24
@mikenomitch mikenomitch merged commit dd15bdf into main Dec 20, 2023
21 checks passed
@mikenomitch mikenomitch deleted the add-vault-role-to-jwt-claims branch December 20, 2023 23:51
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Dec 20, 2023
Merged
@BGMUSTC
Copy link

BGMUSTC commented Dec 27, 2023

When would this feature released? Do you have any plan?

@pkazmierczak
Copy link
Contributor

@BGMUSTC The feature will be released in the upcoming 1.7.3 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lgfa29 lgfa29 lgfa29 approved these changes

@pkazmierczak pkazmierczak Awaiting requested review from pkazmierczak

Assignees

@mikenomitch mikenomitch

Labels
backport/1.7.x backport to 1.7.x release line theme/vault theme/workload-identity type/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mikenomitch @BGMUSTC @pkazmierczak @lgfa29