From fbf7312cf1ad528fdfef93f5e556096000719baf Mon Sep 17 00:00:00 2001 From: Birdie K <5210502+moo-im-a-cow@users.noreply.github.com> Date: Tue, 22 Apr 2025 15:55:40 +1000 Subject: [PATCH 1/6] allow specifying the vault jwt token directly --- vault-jwt/main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/vault-jwt/main.tf b/vault-jwt/main.tf index adcc34d4..e2bf5a4d 100644 --- a/vault-jwt/main.tf +++ b/vault-jwt/main.tf @@ -20,6 +20,13 @@ variable "vault_addr" { description = "The address of the Vault server." } +variable "vault_jwt_token" { + type = string + description = "The JWT token used for authentication with Vault." + default = data.coder_workspace_owner.me.oidc_access_token + sensitive = true +} + variable "vault_jwt_auth_path" { type = string description = "The path to the Vault JWT auth method." @@ -46,7 +53,7 @@ resource "coder_script" "vault" { display_name = "Vault (GitHub)" icon = "/icon/vault.svg" script = templatefile("${path.module}/run.sh", { - CODER_OIDC_ACCESS_TOKEN : data.coder_workspace_owner.me.oidc_access_token, + CODER_OIDC_ACCESS_TOKEN : var.vault_jwt_token, VAULT_JWT_AUTH_PATH : var.vault_jwt_auth_path, VAULT_JWT_ROLE : var.vault_jwt_role, VAULT_CLI_VERSION : var.vault_cli_version, From e3bb4e7b840045cdbfce4140a88b784199eeeed8 Mon Sep 17 00:00:00 2001 From: Birdie K <5210502+moo-im-a-cow@users.noreply.github.com> Date: Tue, 22 Apr 2025 16:10:19 +1000 Subject: [PATCH 2/6] allow specifying the vault jwt token directly p2 --- vault-jwt/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vault-jwt/main.tf b/vault-jwt/main.tf index e2bf5a4d..17288e00 100644 --- a/vault-jwt/main.tf +++ b/vault-jwt/main.tf @@ -23,7 +23,7 @@ variable "vault_addr" { variable "vault_jwt_token" { type = string description = "The JWT token used for authentication with Vault." - default = data.coder_workspace_owner.me.oidc_access_token + default = null sensitive = true } @@ -53,7 +53,7 @@ resource "coder_script" "vault" { display_name = "Vault (GitHub)" icon = "/icon/vault.svg" script = templatefile("${path.module}/run.sh", { - CODER_OIDC_ACCESS_TOKEN : var.vault_jwt_token, + CODER_OIDC_ACCESS_TOKEN : var.vault_jwt_token != null ? var.vault_jwt_token : data.coder_workspace_owner.me.oidc_access_token, VAULT_JWT_AUTH_PATH : var.vault_jwt_auth_path, VAULT_JWT_ROLE : var.vault_jwt_role, VAULT_CLI_VERSION : var.vault_cli_version, From c171d287cd3ca9ead222e0753d04402006abd352 Mon Sep 17 00:00:00 2001 From: Birdie K <5210502+moo-im-a-cow@users.noreply.github.com> Date: Tue, 22 Apr 2025 18:48:57 +1000 Subject: [PATCH 3/6] update vaultjwt readme --- vault-jwt/README.md | 66 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/vault-jwt/README.md b/vault-jwt/README.md index 66070397..9396db2b 100644 --- a/vault-jwt/README.md +++ b/vault-jwt/README.md @@ -10,7 +10,7 @@ tags: [helper, integration, vault, jwt, oidc] # Hashicorp Vault Integration (JWT) -This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces by reusing the [OIDC](https://coder.com/docs/admin/users/oidc-auth) access token from Coder's OIDC authentication method. This requires configuring the Vault [JWT/OIDC](https://developer.hashicorp.com/vault/docs/auth/jwt#configuration) auth method. +This module lets you authenticate with [Hashicorp Vault](https://www.vaultproject.io/) in your Coder workspaces by reusing the [OIDC](https://coder.com/docs/admin/users/oidc-auth) access token from Coder's OIDC authentication method or another source of jwt token. This requires configuring the Vault [JWT/OIDC](https://developer.hashicorp.com/vault/docs/auth/jwt#configuration) auth method. ```tf module "vault" { @@ -20,6 +20,7 @@ module "vault" { agent_id = coder_agent.example.id vault_addr = "https://vault.example.com" vault_jwt_role = "coder" # The Vault role to use for authentication + vault_jwt_token= "eyJhbGciOiJIUzI1N..." # optional, if not present, defaults to user's oidc authentication token } ``` @@ -79,3 +80,66 @@ module "vault" { vault_cli_version = "1.17.5" } ``` + + +### use a custom jwt token + +```tf + +terraform { + required_providers { + ... + jwt = { + source = "geektheripper/jwt" + version = "1.1.4" + } + time = { + source = "hashicorp/time" + version = "0.11.1" + } + ... + } +} + + +resource "jwt_signed_token" "vault" { + count = data.coder_workspace.me.start_count + algorithm = "RS256" + # `openssl genrsa -out key.pem 4096` and `openssl rsa -in key.pem -pubout > pub.pem` to generate keys + key = file("key.pem") + claims_json = jsonencode({ + iss = "https://code.example.com" + sub = "${data.coder_workspace.me.id}" + aud = "https://vault.example.com" + iat = provider::time::rfc3339_parse(plantimestamp()).unix + # exp = timeadd(timestamp(), 3600) + agent = coder_agent.main.id + provisioner = data.coder_provisioner.main.id + provisioner_arch = data.coder_provisioner.main.arch + provisioner_os = data.coder_provisioner.main.os + + workspace = data.coder_workspace.me.id + workspace_url = data.coder_workspace.me.access_url + workspace_port = data.coder_workspace.me.access_port + workspace_name = data.coder_workspace.me.name + template = data.coder_workspace.me.template_id + template_name = data.coder_workspace.me.template_name + template_version = data.coder_workspace.me.template_version + owner = data.coder_workspace_owner.me.id + owner_name = data.coder_workspace_owner.me.name + owner_email = data.coder_workspace_owner.me.email + owner_login_type = data.coder_workspace_owner.me.login_type + owner_groups = data.coder_workspace_owner.me.groups + }) +} + +module "vault" { + count = data.coder_workspace.me.start_count + source = "registry.coder.com/modules/vault-jwt/coder" + version = "1.0.20" + agent_id = coder_agent.example.id + vault_addr = "https://vault.example.com" + vault_jwt_role = "coder" # The Vault role to use for authentication + vault_jwt_token = jwt_signed_token.vault[0].token +} +``` From 407655bebfd1fa15b7969c44a6e1aad8b9cc9aa5 Mon Sep 17 00:00:00 2001 From: Birdie K <5210502+moo-im-a-cow@users.noreply.github.com> Date: Tue, 22 Apr 2025 20:28:10 +1000 Subject: [PATCH 4/6] update readme --- vault-jwt/README.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/vault-jwt/README.md b/vault-jwt/README.md index aecfa754..afb88585 100644 --- a/vault-jwt/README.md +++ b/vault-jwt/README.md @@ -143,3 +143,42 @@ module "vault" { vault_jwt_token = jwt_signed_token.vault[0].token } ``` +#### example vault jwt role +``` +vault write auth//role/workspace -<.metadata.owner_name}}/{{identity.entity.aliases..metadata.workspace_name}}" { + capabilities = ["create", "read", "update", "delete", "list", "subscribe"] + subscribe_event_types = ["*"] +} +path "kv/metadata/app/coder/{{identity.entity.aliases..metadata.owner_name}}/{{identity.entity.aliases..metadata.workspace_name}}" { + capabilities = ["create", "read", "update", "delete", "list", "subscribe"] + subscribe_event_types = ["*"] +} +``` + From 28a70b0504f21efc06120e4ab77503620a62b1d7 Mon Sep 17 00:00:00 2001 From: Birdie K <5210502+moo-im-a-cow@users.noreply.github.com> Date: Tue, 22 Apr 2025 22:13:43 +1000 Subject: [PATCH 5/6] update readme --- vault-jwt/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/vault-jwt/README.md b/vault-jwt/README.md index afb88585..9c48cab2 100644 --- a/vault-jwt/README.md +++ b/vault-jwt/README.md @@ -88,7 +88,6 @@ module "vault" { terraform { required_providers { - ... jwt = { source = "geektheripper/jwt" version = "1.1.4" @@ -97,7 +96,6 @@ terraform { source = "hashicorp/time" version = "0.11.1" } - ... } } From 41f875e335378f0c054bf5abed6505a73a142cbe Mon Sep 17 00:00:00 2001 From: Birdie K <5210502+moo-im-a-cow@users.noreply.github.com> Date: Thu, 24 Apr 2025 12:28:36 +1000 Subject: [PATCH 6/6] update readme --- vault-jwt/README.md | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/vault-jwt/README.md b/vault-jwt/README.md index 9c48cab2..f69ec8a5 100644 --- a/vault-jwt/README.md +++ b/vault-jwt/README.md @@ -14,13 +14,13 @@ This module lets you authenticate with [Hashicorp Vault](https://www.vaultprojec ```tf module "vault" { - count = data.coder_workspace.me.start_count - source = "registry.coder.com/modules/vault-jwt/coder" - version = "1.0.21" - agent_id = coder_agent.example.id - vault_addr = "https://vault.example.com" - vault_jwt_role = "coder" # The Vault role to use for authentication - vault_jwt_token= "eyJhbGciOiJIUzI1N..." # optional, if not present, defaults to user's oidc authentication token + count = data.coder_workspace.me.start_count + source = "registry.coder.com/modules/vault-jwt/coder" + version = "1.0.21" + agent_id = coder_agent.example.id + vault_addr = "https://vault.example.com" + vault_jwt_role = "coder" # The Vault role to use for authentication + vault_jwt_token = "eyJhbGciOiJIUzI1N..." # optional, if not present, defaults to user's oidc authentication token } ``` @@ -81,7 +81,6 @@ module "vault" { } ``` - ### use a custom jwt token ```tf @@ -104,7 +103,7 @@ resource "jwt_signed_token" "vault" { count = data.coder_workspace.me.start_count algorithm = "RS256" # `openssl genrsa -out key.pem 4096` and `openssl rsa -in key.pem -pubout > pub.pem` to generate keys - key = file("key.pem") + key = file("key.pem") claims_json = jsonencode({ iss = "https://code.example.com" sub = "${data.coder_workspace.me.id}" @@ -132,16 +131,18 @@ resource "jwt_signed_token" "vault" { } module "vault" { - count = data.coder_workspace.me.start_count - source = "registry.coder.com/modules/vault-jwt/coder" - version = "1.0.20" - agent_id = coder_agent.example.id - vault_addr = "https://vault.example.com" - vault_jwt_role = "coder" # The Vault role to use for authentication - vault_jwt_token = jwt_signed_token.vault[0].token + count = data.coder_workspace.me.start_count + source = "registry.coder.com/modules/vault-jwt/coder" + version = "1.0.20" + agent_id = coder_agent.example.id + vault_addr = "https://vault.example.com" + vault_jwt_role = "coder" # The Vault role to use for authentication + vault_jwt_token = jwt_signed_token.vault[0].token } ``` + #### example vault jwt role + ``` vault write auth//role/workspace -</role/workspace -<.metadata.owner_name}}/{{identity.entity.aliases..metadata.workspace_name}}" { capabilities = ["create", "read", "update", "delete", "list", "subscribe"] @@ -179,4 +182,3 @@ path "kv/metadata/app/coder/{{identity.entity.aliases..metadata. subscribe_event_types = ["*"] } ``` -