Skip to content

feat(vault-jwt): allow specifying the vault jwt token directly #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat(vault-jwt): allow specifying the vault jwt token directly #436

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
fbf7312
allow specifying the vault jwt token directly
moo-im-a-cow Apr 22, 2025
e3bb4e7
allow specifying the vault jwt token directly p2
moo-im-a-cow Apr 22, 2025
c171d28
update vaultjwt readme
moo-im-a-cow Apr 22, 2025
248c31c
Merge branch 'main' into vault-jwt-feat
moo-im-a-cow Apr 22, 2025
407655b
update readme
moo-im-a-cow Apr 22, 2025
28a70b0
update readme
moo-im-a-cow Apr 22, 2025
41f875e
update readme
moo-im-a-cow Apr 24, 2025
49d6765
fix(docs): correct code block syntax for example workspace access vau…
DevelopmentCats May 5, 2025
65860cb
fix(docs): correct code block syntax for example workspace access vau…
DevelopmentCats May 5, 2025
bd2fcf6
fix(vault-jwt): readme removed line at end to satisfy prettier
DevelopmentCats May 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 110 additions & 7 deletions vault-jwt/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,17 @@ tags: [helper, integration, vault, jwt, oidc]

# Hashicorp Vault Integration (JWT)

This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces by reusing the [OIDC](https://coder.com/docs/admin/users/oidc-auth) access token from Coder's OIDC authentication method. This requires configuring the Vault [JWT/OIDC](https://developer.hashicorp.com/vault/docs/auth/jwt#configuration) auth method.
This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces by reusing the [OIDC](https://coder.com/docs/admin/users/oidc-auth) access token from Coder's OIDC authentication method or another source of jwt token. This requires configuring the Vault [JWT/OIDC](https://developer.hashicorp.com/vault/docs/auth/jwt#configuration) auth method.

```tf
module "vault" {
count = data.coder_workspace.me.start_count
source = "registry.coder.com/modules/vault-jwt/coder"
version = "1.0.21"
agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com"
vault_jwt_role = "coder" # The Vault role to use for authentication
count = data.coder_workspace.me.start_count
source = "registry.coder.com/modules/vault-jwt/coder"
version = "1.0.21"
agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com"
vault_jwt_role = "coder" # The Vault role to use for authentication
vault_jwt_token = "eyJhbGciOiJIUzI1N..." # optional, if not present, defaults to user's oidc authentication token
}
```

Expand Down Expand Up @@ -79,3 +80,105 @@ module "vault" {
vault_cli_version = "1.17.5"
}
```

### use a custom jwt token

```tf

terraform {
required_providers {
jwt = {
source = "geektheripper/jwt"
version = "1.1.4"
}
time = {
source = "hashicorp/time"
version = "0.11.1"
}
}
}


resource "jwt_signed_token" "vault" {
count = data.coder_workspace.me.start_count
algorithm = "RS256"
# `openssl genrsa -out key.pem 4096` and `openssl rsa -in key.pem -pubout > pub.pem` to generate keys
key = file("key.pem")
claims_json = jsonencode({
iss = "https://code.example.com"
sub = "${data.coder_workspace.me.id}"
aud = "https://vault.example.com"
iat = provider::time::rfc3339_parse(plantimestamp()).unix
# exp = timeadd(timestamp(), 3600)
agent = coder_agent.main.id
provisioner = data.coder_provisioner.main.id
provisioner_arch = data.coder_provisioner.main.arch
provisioner_os = data.coder_provisioner.main.os

workspace = data.coder_workspace.me.id
workspace_url = data.coder_workspace.me.access_url
workspace_port = data.coder_workspace.me.access_port
workspace_name = data.coder_workspace.me.name
template = data.coder_workspace.me.template_id
template_name = data.coder_workspace.me.template_name
template_version = data.coder_workspace.me.template_version
owner = data.coder_workspace_owner.me.id
owner_name = data.coder_workspace_owner.me.name
owner_email = data.coder_workspace_owner.me.email
owner_login_type = data.coder_workspace_owner.me.login_type
owner_groups = data.coder_workspace_owner.me.groups
})
}

module "vault" {
count = data.coder_workspace.me.start_count
source = "registry.coder.com/modules/vault-jwt/coder"
version = "1.0.20"
agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com"
vault_jwt_role = "coder" # The Vault role to use for authentication
vault_jwt_token = jwt_signed_token.vault[0].token
}
```

#### example vault jwt role

```
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
```
```shell

vault write auth/<JWT_MOUNT>/role/workspace -<<EOF
{
"user_claim": "sub",
"bound_audiences": "https://vault.example.com",
"role_type": "jwt",
"ttl": "1h",
"claim_mappings": {
"owner": "owner",
"owner_email": "owner_email",
"owner_login_type": "owner_login_type",
"owner_name": "owner_name",
"provisioner": "provisioner",
"provisioner_arch": "provisioner_arch",
"provisioner_os": "provisioner_os",
"sub": "sub",
"template": "template",
"template_name": "template_name",
"template_version": "template_version",
"workspace": "workspace",
"workspace_name": "workspace_name",
"workspace_id": "workspace_id"
}
}
EOF
```

#### example workspace access vault policy

```tf
path "kv/data/app/coder/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.owner_name}}/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.workspace_name}}" {
capabilities = ["create", "read", "update", "delete", "list", "subscribe"]
subscribe_event_types = ["*"]
}
path "kv/metadata/app/coder/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.owner_name}}/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.workspace_name}}" {
capabilities = ["create", "read", "update", "delete", "list", "subscribe"]
subscribe_event_types = ["*"]
}
```
9 changes: 8 additions & 1 deletion vault-jwt/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ variable "vault_addr" {
description = "The address of the Vault server."
}

variable "vault_jwt_token" {
type = string
description = "The JWT token used for authentication with Vault."
default = null
sensitive = true
}

Comment on lines +23 to +29
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add an example use case on how you would provide that token to the module? Are you fetching it externally through some API or another provider?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://gist.github.com/moo-im-a-cow/002e18137f5956893e610f85096e04e9#file-main-tf-L394-L422
this is how i'm currently generating the token, using another provider in the template

i'm doing this because i'd like to use a dedicated jwt token issued by coder for the workspace instead of passing through the token used to authenticate to coder

more info here: coder/coder#13127 (comment)

do you want the examples added to the commit in some way?
i'm unsure how documentation works here, but i'll do whatever is needed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you want the examples added to the commit in some way?
i'm unsure how documentation works here, but i'll do whatever is needed

We usually add example Terraform snippets in the README.md to guide users on possible ways the module can be used.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i've now added an example

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I would appreciate it if we could also add a vault policy that can use this new jwt token, scoped to workspace metadata.

variable "vault_jwt_auth_path" {
type = string
description = "The path to the Vault JWT auth method."
Expand All @@ -46,7 +53,7 @@ resource "coder_script" "vault" {
display_name = "Vault (GitHub)"
icon = "/icon/vault.svg"
script = templatefile("${path.module}/run.sh", {
CODER_OIDC_ACCESS_TOKEN : data.coder_workspace_owner.me.oidc_access_token,
CODER_OIDC_ACCESS_TOKEN : var.vault_jwt_token != null ? var.vault_jwt_token : data.coder_workspace_owner.me.oidc_access_token,
VAULT_JWT_AUTH_PATH : var.vault_jwt_auth_path,
VAULT_JWT_ROLE : var.vault_jwt_role,
VAULT_CLI_VERSION : var.vault_cli_version,
Expand Down