Skip to content
This repository was archived by the owner on May 15, 2025. It is now read-only.

feat(vault-jwt): allow specifying the vault jwt token directly #436

Merged
merged 21 commits into from
May 8, 2025
Merged

feat(vault-jwt): allow specifying the vault jwt token directly #436

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
fbf7312
allow specifying the vault jwt token directly
moo-im-a-cow Apr 22, 2025
e3bb4e7
allow specifying the vault jwt token directly p2
moo-im-a-cow Apr 22, 2025
c171d28
update vaultjwt readme
moo-im-a-cow Apr 22, 2025
248c31c
Merge branch 'main' into vault-jwt-feat
moo-im-a-cow Apr 22, 2025
407655b
update readme
moo-im-a-cow Apr 22, 2025
28a70b0
update readme
moo-im-a-cow Apr 22, 2025
41f875e
update readme
moo-im-a-cow Apr 24, 2025
49d6765
fix(docs): correct code block syntax for example workspace access vau…
DevelopmentCats May 5, 2025
65860cb
fix(docs): correct code block syntax for example workspace access vau…
DevelopmentCats May 5, 2025
bd2fcf6
fix(vault-jwt): readme removed line at end to satisfy prettier
DevelopmentCats May 5, 2025
451f58e
Update vault-jwt/README.md
moo-im-a-cow May 8, 2025
898f140
Update vault-jwt/README.md
moo-im-a-cow May 8, 2025
4a3dab9
Update vault-jwt/README.md
moo-im-a-cow May 8, 2025
80dbe34
Update vault-jwt/README.md
moo-im-a-cow May 8, 2025
d9a6c49
Update vault-jwt/README.md
moo-im-a-cow May 8, 2025
3b9299f
Update vault-jwt/README.md
moo-im-a-cow May 8, 2025
1301bcb
Apply suggestions from code review
moo-im-a-cow May 8, 2025
6b2ae87
fix exp field and add a description of it
moo-im-a-cow May 8, 2025
d6bcae5
Merge branch 'main' into vault-jwt-feat
moo-im-a-cow May 8, 2025
e191d8f
update readme
moo-im-a-cow May 8, 2025
51c46ed
update readme
moo-im-a-cow May 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 110 additions & 7 deletions vault-jwt/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,17 @@ tags: [helper, integration, vault, jwt, oidc]

# Hashicorp Vault Integration (JWT)

This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces by reusing the [OIDC](https://coder.com/docs/admin/users/oidc-auth) access token from Coder's OIDC authentication method. This requires configuring the Vault [JWT/OIDC](https://developer.hashicorp.com/vault/docs/auth/jwt#configuration) auth method.
This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces by reusing the [OIDC](https://coder.com/docs/admin/users/oidc-auth) access token from Coder's OIDC authentication method or another source of jwt token. This requires configuring the Vault [JWT/OIDC](https://developer.hashicorp.com/vault/docs/auth/jwt#configuration) auth method.

```tf
module "vault" {
count = data.coder_workspace.me.start_count
source = "registry.coder.com/modules/vault-jwt/coder"
version = "1.0.21"
agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com"
vault_jwt_role = "coder" # The Vault role to use for authentication
count = data.coder_workspace.me.start_count
source = "registry.coder.com/modules/vault-jwt/coder"
version = "1.0.21"
agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com"
vault_jwt_role = "coder" # The Vault role to use for authentication
vault_jwt_token = "eyJhbGciOiJIUzI1N..." # optional, if not present, defaults to user's oidc authentication token
}
```

Expand Down Expand Up @@ -79,3 +80,105 @@ module "vault" {
vault_cli_version = "1.17.5"
}
```

### use a custom jwt token

```tf

terraform {
required_providers {
jwt = {
source = "geektheripper/jwt"
version = "1.1.4"
}
time = {
source = "hashicorp/time"
version = "0.11.1"
}
}
}


resource "jwt_signed_token" "vault" {
count = data.coder_workspace.me.start_count
algorithm = "RS256"
# `openssl genrsa -out key.pem 4096` and `openssl rsa -in key.pem -pubout > pub.pem` to generate keys
key = file("key.pem")
claims_json = jsonencode({
iss = "https://code.example.com"
sub = "${data.coder_workspace.me.id}"
aud = "https://vault.example.com"
iat = provider::time::rfc3339_parse(plantimestamp()).unix
# exp = timeadd(timestamp(), 3600)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should either be removed or have an associated comment (uncomment to ...).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you mean just the exp field? or the sub, aud, iat, exp fields?
(github shows you replying to 4 lines so just making sure i have the correct context)
I also realised the exp line is invalid, i'll have to update it anyway so that it gives a unix timestamp instead of text timestamp

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assuming you only meant the exp field, i've fixed it up and added a comment describing it and the pro/con of uncommenting it (making the token expire)

agent = coder_agent.main.id
provisioner = data.coder_provisioner.main.id
provisioner_arch = data.coder_provisioner.main.arch
provisioner_os = data.coder_provisioner.main.os

workspace = data.coder_workspace.me.id
workspace_url = data.coder_workspace.me.access_url
workspace_port = data.coder_workspace.me.access_port
workspace_name = data.coder_workspace.me.name
template = data.coder_workspace.me.template_id
template_name = data.coder_workspace.me.template_name
template_version = data.coder_workspace.me.template_version
owner = data.coder_workspace_owner.me.id
owner_name = data.coder_workspace_owner.me.name
owner_email = data.coder_workspace_owner.me.email
owner_login_type = data.coder_workspace_owner.me.login_type
owner_groups = data.coder_workspace_owner.me.groups
})
}

module "vault" {
count = data.coder_workspace.me.start_count
source = "registry.coder.com/modules/vault-jwt/coder"
version = "1.0.20"
agent_id = coder_agent.example.id
vault_addr = "https://vault.example.com"
vault_jwt_role = "coder" # The Vault role to use for authentication
vault_jwt_token = jwt_signed_token.vault[0].token
}
```

#### example vault jwt role

```
vault write auth/<JWT_MOUNT>/role/workspace -<<EOF
{
"user_claim": "sub",
"bound_audiences": "https://vault.example.com",
"role_type": "jwt",
"ttl": "1h",
"claim_mappings": {
"owner": "owner",
"owner_email": "owner_email",
"owner_login_type": "owner_login_type",
"owner_name": "owner_name",
"provisioner": "provisioner",
"provisioner_arch": "provisioner_arch",
"provisioner_os": "provisioner_os",
"sub": "sub",
"template": "template",
"template_name": "template_name",
"template_version": "template_version",
"workspace": "workspace",
"workspace_name": "workspace_name",
"workspace_id": "workspace_id"
}
}
EOF
```

#### example workspace access vault policy

```hcl
path "kv/data/app/coder/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.owner_name}}/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.workspace_name}}" {
capabilities = ["create", "read", "update", "delete", "list", "subscribe"]
subscribe_event_types = ["*"]
}
path "kv/metadata/app/coder/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.owner_name}}/{{identity.entity.aliases.<MOUNT_ACCESSOR>.metadata.workspace_name}}" {
capabilities = ["create", "read", "update", "delete", "list", "subscribe"]
subscribe_event_types = ["*"]
}
```
9 changes: 8 additions & 1 deletion vault-jwt/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ variable "vault_addr" {
description = "The address of the Vault server."
}

variable "vault_jwt_token" {
type = string
description = "The JWT token used for authentication with Vault."
default = null
sensitive = true
}

variable "vault_jwt_auth_path" {
type = string
description = "The path to the Vault JWT auth method."
Expand All @@ -46,7 +53,7 @@ resource "coder_script" "vault" {
display_name = "Vault (GitHub)"
icon = "/icon/vault.svg"
script = templatefile("${path.module}/run.sh", {
CODER_OIDC_ACCESS_TOKEN : data.coder_workspace_owner.me.oidc_access_token,
CODER_OIDC_ACCESS_TOKEN : var.vault_jwt_token != null ? var.vault_jwt_token : data.coder_workspace_owner.me.oidc_access_token,
VAULT_JWT_AUTH_PATH : var.vault_jwt_auth_path,
VAULT_JWT_ROLE : var.vault_jwt_role,
VAULT_CLI_VERSION : var.vault_cli_version,
Expand Down
Loading