Hi,
are there any document to configure k8s authn-jwt based authentication?
this page only talks about authn-k8s:
https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-k8s-authn.htm?tocpath=Integrations|OpenShift%2FKubernetes|_____4
Thanks,
Marco
Hi @iampolo,
I don’t think we have official documentation on this yet, but we do have sample helm charts that us jwt that should be helpful.
Please let us know if you have any specific questions after reviewing those.
Hi @iampolo,
Have you checked out the JWT Authenticator for Kubernetes (JWT-based) docs? They are for Conjur Enterprise but also apply to Conjur OSS.
Samir
@samir.shetty @szh
Thank you for the information. I do aware those JWT-based docs in that link.
Our application runs in OCP. Because the use cases are different from regular app., initcontainer or sidecar pattern doesn’t apply to us.
We will use GitHub - cyberark/conjur-api-go: Go client for the CyberArk Conjur API to develop a client library to programmatically retrieve credentials from Conjur by using Service Account JWT token.
I am still doing some investigation, but do you think I am on the right track by first setting up the JWT authenticator for k8s in Conjur, and then use conjur-api-go to access the conjur?
@iampolo I’d love to hear more about your use case, in particular the challenges around init container/sidecar. Without those constraints you could have simply used GitHub - cyberark/secrets-provider-for-k8s: Cyberark secrets provider for k8s. Feel free to reach out to me via email at samir.bhatt at cyberark.
do you think I am on the right track by first setting up the JWT authenticator for k8s in Conjur, and then use conjur-api-go to access the conjur?
Yes that sounds like a good approach.
I am encountering problem while setting up the authn-jwt.
I am using this img: =jodyhuntatx/conjur-appliance:12.1.1, because I have a working example using authn-k8s, so I am trying to enable jwt on it.
I have the policy yaml below and applied. When I used my app to authn with the conjur server, it gave me the error message Authenticator 'authn-jwt' is not supported in Conjur.
The conjur https://localhost/info shows the authn-jwt is not installed, even it does show enabled. Do you think it is the reason?
I tried to install conjur-oss like this one: https://github.com/cyberark/conjur-oss-helm-chart/tree/main/examples, but it also doesn’t enable authn-jwt.
Basically, I want to know how install and enable authn-jwt, could you help me on this?
Thanks in advance!
- !policy
id: conjur/authn-jwt/os-climate-poc
body:
- !webservice
# Uncomment one of following variables depending on the public availability
# of the Service Account Issuer Discovery service in Kubernetes
# If the service is publicly available, uncomment 'jwks-uri'.
# If the service is not available, uncomment 'public-keys'
# - !variable jwks-uri
- !variable public-keys
- !variable issuer
- !variable token-app-property
- !variable identity-path
- !variable audience
# Group of applications that can authenticate using this JWT Authenticator
- !group consumers
- !permit
role: !group consumers
privilege: [ read, authenticate ]
resource: !webservice
- !webservice status
# Group of users who can check the status of the JWT Authenticator
- !group operators
- !permit
role: !group operators
privilege: [ read ]
resource: !webservice status
# curl -k localhost/info
{
"release": "12.1.1",
"version": "5.13.2",
"services": {
"evoke": {
"desired": "i",
"status": "i",
"err": null,
"description": "Conjur",
"name": "conjur-evoke",
"version": "5.20.1.0-7017545",
"arch": "amd64"
},
"ldap-sync": {
"desired": "i",
"status": "i",
"err": null,
"description": "Conjur",
"name": "conjur-ldap-sync",
"version": "2.1.12.0-fae9d7f",
"arch": "amd64"
},
"possum": {
"desired": "i",
"status": "i",
"err": null,
"description": "Conjur",
"name": "conjur-possum",
"version": "1.11.4.1-ec61a65f",
"arch": "amd64"
},
"ui": {
"desired": "i",
"status": "i",
"err": null,
"description": "Conjur",
"name": "conjur-ui",
"version": "2.12.0.0-d3ed2d68",
"arch": "amd64"
}
},
"container": "dap-service-node-6d974c749d-9fchh",
"role": "master",
"configuration": {
"conjur": {
"role": "master",
"account": "lab",
"hostname": "dap-service-node.cyberlab.svc.cluster.local",
"master_altnames": [
"dap-service-node.cyberlab.svc.cluster.local",
"localhost",
"conjur"
]
}
},
"authenticators": {
"installed": [
"authn",
"authn-azure",
"authn-gcp",
"authn-iam",
"authn-k8s",
"authn-ldap",
"authn-oidc"
],
"configured": [
"authn",
"authn-jwt/os-climate-poc"
],
"enabled": [
"authn-jwt/os-climate-poc"
]
}
0
<14>1 2022-06-10T20:54:38.000+00:00 dap-service-node-6d974c749d-tsnfn conjur-possum 1757 - [meta sequenceId="2"] [origin=10.129.2.25] [request_id=fb874785-663a-470f-9e37-5635fc786fab] [tid=2689] Processing by AuthenticateController#authenticate as HTML
<14>1 2022-06-10T20:54:38.000+00:00 dap-service-node-6d974c749d-tsnfn conjur-possum 1757 - [meta sequenceId="3"] [origin=10.129.2.25] [request_id=fb874785-663a-470f-9e37-5635fc786fab] [tid=2689] Parameters: {:controller=>"authenticate", :action=>"authenticate", :authenticator=>"authn-jwt", :service_id=>"os-climate-poc", :account=>"lab", :id=>"host/jupyterhub/notebooks-team1"}
<14>1 2022-06-10T20:54:38.000+00:00 dap-service-node-6d974c749d-tsnfn conjur-possum 1757 - [meta sequenceId="4"] [origin=10.129.2.25] [request_id=fb874785-663a-470f-9e37-5635fc786fab] [tid=2689] CONJ00048I Authentication Error: #<Errors::Authentication::AuthenticatorNotSupported: CONJ00001E Authenticator 'authn-jwt' is not supported in Conjur>
<14>1 2022-06-10T20:54:38.000+00:00 dap-service-node-6d974c749d-tsnfn conjur-possum 1757 - [meta sequenceId="5"] [origin=10.129.2.25] [request_id=fb874785-663a-470f-9e37-5635fc786fab] [tid=2689] Completed 401 Unauthorized in 3ms
<13>1 2022-06-10T20:54:39.199+00:00 dap-service-node-6d974c749d-tsnfn nginx - - [meta sequenceId="6"] 10.129.2.25 "-" "POST /api/authn-jwt/os-climate-poc/lab/host%2Fjupyterhub%2Fnotebooks-team1/authenticate HTTP/1.1" 401 5 "-" "k8s" 0.005 0.005
Hi @iampolo,
The appliance image you are using predates the authn-jwt feature. The JWT authenticator is however available in the latest version of Conjur OSS, which can be installed using the Helm chart like you mentioned.
The policy looks good, but you still need to enable the authn-jwt/os-climate-poc authenticator. To do so, set the CONJUR_AUTHENTICATORS environment variable in the Conjur container with value authn-jwt/os-climate-poc,authn. Please see Configure authentication for reference.
Best regards,
Samir
Thank you @samir.shetty,
Though I think I am one step closer, I now see error from conjur-oss server like this:
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00057I Started authentication flow for authenticator 'authn-jwt'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00076I Selected signing key interface: 'public-keys'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00143I Parsing JWKS from public-keys value...
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00139I Successfully fetched audience value 'https://kubernetes.default.svc'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00054I "issuer" value will be taken from 'issuer'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00055I Retrieved "issuer" with value 'https://kubernetes.default.svc'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00068I Fetched JWT claims '["exp", "aud", "iss", "nbf", "iat"]' to validate
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] lab:user:USERNAME_MISSING failed to authenticate with authenticator authn-jwt service lab:webservice:conjur/authn-jwt/os-climate-poc: CONJ00098E JWT identity configuration is invalid
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] CONJ00048I Authentication Error: #<Errors::Authentication::AuthnJwt::IdentityMisconfigured: CONJ00098E JWT identity configuration is invalid>
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] /opt/conjur-server/app/domain/authentication/authn_jwt/identity_providers/create_identity_provider.rb:36:in `create_identity_provider'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] /opt/conjur-server/app/domain/authentication/authn_jwt/identity_providers/create_identity_provider.rb:23:in `call'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] (eval):7:in `call'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] /opt/conjur-server/app/domain/authentication/authn_jwt/vendor_configurations/configuration_jwt_generic_vendor.rb:98:in `identity_provider'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] /opt/conjur-server/app/domain/authentication/authn_jwt/vendor_configurations/configuration_jwt_generic_vendor.rb:92:in `jwt_identity_from_request'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] /opt/conjur-server/app/domain/authentication/authn_jwt/vendor_configurations/configuration_jwt_generic_vendor.rb:46:in `jwt_identity'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] /opt/conjur-server/app/domain/authentication/authn_jwt/authenticator.rb:52:in `jwt_identity'
[origin=10.128.2.35] [request_id=8947ca60-7e02-4d81-88c3-bcde4026c8fb] [tid=35] /opt/conjur-server/app/domain/authentication/authn_jwt/authenticator.rb:47:in `get_jwt_identity_from_request'
In OpenShift, I have this Server Account:
Conjur-oss rejected the authentication with the above error.
Would you know where I setup incorrectly?
Btw, I have a testing program that use conjur-authn-k8s-client to connect to Conjur-oss. It reads and sends SA’s token to Conjur-oss.
conjur variable value conjur/authn-jwt/os-climate-poc/public-keys
{"type":"jwks", "value":{"keys":[{"use":"sig","kty":"RSA","kid":"-8-UeoWr3f2qxRn1JUbDx96cda7zZw9QjT8IHCvdv-w","alg":"RS256","n":"uWpkVHYfaqNbhlF03f04OVuvmSSCIcTa9d2bMuEIF1-jc7h1rgNPfofTUoZpLMMNs3RiHAXwVUH5etZBNpP4Zm8NQz02GKR229r-FHZKNcK6jw635VFQdp3YcFloZkmtsKwBpi1VFb-xew2sRmuf9ocpXVjGjZ85WEe7tyKEx1emh2PP_WzFayQXekh1pwUlRzOC7ztIZPNgtiId-fjP_Watf1rm0U2kEtMFoDZT0w-zHXf5qJMJdSrER5Ch00XzwOTztQy96a-VdNVsWnoW_YTugSWDg36q55-MMOctGGyByx0igevKc5nIu_h6tlWVl1TftuUhJvna_kppser_hw","e":"AQAB"},{"use":"sig","kty":"RSA","kid":"bCkyKS_iV6XO46y0pmGLCXEwWE1ledBA7FHoukt-YNY","alg":"RS256","n":"0rh-4wbwEUkh0jBq3jomx5MMgQ9V-5ExXctVA6h_8ta6xcdh4U6rBmqJXwnNXghUZNoWfQRfy35E7_c1F_go5Uee07na6shRbZApkckNh260geIv77DTurnOs8L7c1eBb1WML246ltuh9F65NV3EOsX9cJaTr3JgwXt7OJsy3Mk6hn8eAgPteEGTPazpKCyFVyH7RJp9St0-kXvgi-CHlpGRMCPy2Wzndn2N1GdgmFmS7OeQOyxdc4SWx5rRat5IChI40tuJUS3rSbcoOZiKeamwLjH29MnSnITOF9D6TDaQh0SW3F_eLeRGbRwk5mlmk_F0Y1EHNd0EgoabTa-G4l0dNRCdB_8S2Jrb4J50HEtezAy1N3owjS-soAA62y4aWOvC5GiMqrZTXuICfESXe_-QeOrqAEe1RytAHUdD-OxpXwYpGJq7FSycn5j6pXDGBSN8dpBBWQ8feLkUJd0pjC1g2bKv6zQdKWJgklZMudDmy9Th821uldNMy5tKYgi4x0Nu9bnyzLM3_wgO5CoznfdDW7HP5k_7iWj71_zDrBS8jFsZx6lN3bA1c29Rb6C6mA5L3Ls2Dx6GCcjJ5cxsOO_MeLmHZ8yiohzVg2ZMgcum3IcOzDv_dcKRtqkasR9viF5LAkkP980p6B0XoCXqQzTNt9ThqrSk79MNg0E9mdc","e":"AQAB"},{"use":"sig","kty":"RSA","kid":"PEbNi1gfJ_rtAzdeb34TDeOdeQhpEOvuB-QT8zF1d2Y","alg":"RS256","n":"or7_e6hrxn2L64wydRaPh6TgME4gtWEanURgikEXTWKSAmAD68UZ326Xzhde78pCf3VksSDJWUUOcOYFHbzhrW-nvM5n2PEoKFPIMOLzuBPQJB1FDS4cRUWf4B5ccUIP4sNYwxPOkGiYHYvlDHqMEYnDWFnd41rgQ2LpvZ16215V-9HGKo5Q9ag-KBOOUjaYrYLnh4OSagRv2hGghFu1CzOg1P539Pnj4top7QRaXJMo3p3kBdKBLEyH-QCYhcU1aokSy7N3a2TqQsZ4ne1RQ_QgmMNoGo0LByXyOfVQQbULQdPfHHkAVKzyGe2lVpJ1Q-U3YJ8KTNVFXxPgsU5wAjiJA_2QV_qZz7dCQlma2v6VMHk2Y6zr50rgCPbmF1_Z2BfQqsDUbkmDRZpBOg5XXwduZbKzy6gVLzm8LcnX9EGatQgg98hXDiO4Dj6WoinahaFXC2Wf4vNl8bmWKujeVWNtwuGP5ZjwrWTHOfe34l1-EZbPt3xi2zWbhj3Hr7L3Q7QZdBbrYRuGRWitwdBDsB9dshXh9IRrA8phMPF5KsnT_ib1z75F1xkbC1dKS1vN0Y8HZyxoIU3yWU_N8ZOb59T8Up6DszGNovs-AUzMvO5TVhtRoX1nAaNsJcjVYGaxVGwk45igyMjSjtBr93IJDfI55vcY7snwsBagS-fZfm8","e":"AQAB"}]}}
conjur variable value conjur/authn-jwt/os-climate-poc/issuer
https://kubernetes.default.svc
conjur variable value conjur/authn-jwt/os-climate-poc/token-app-property
sub
conjur variable value conjur/authn-jwt/os-climate-poc/identity-path
app-path
conjur variable value conjur/authn-jwt/os-climate-poc/audience
https://kubernetes.default.svc
conjur list
[
"lab:policy:root",
"lab:policy:conjur/authn-jwt/os-climate-poc",
"lab:webservice:conjur/authn-jwt/os-climate-poc",
"lab:variable:conjur/authn-jwt/os-climate-poc/public-keys",
"lab:variable:conjur/authn-jwt/os-climate-poc/issuer",
"lab:variable:conjur/authn-jwt/os-climate-poc/token-app-property",
"lab:variable:conjur/authn-jwt/os-climate-poc/identity-path",
"lab:variable:conjur/authn-jwt/os-climate-poc/audience",
"lab:group:conjur/authn-jwt/os-climate-poc/consumers",
"lab:webservice:conjur/authn-jwt/os-climate-poc/status",
"lab:group:conjur/authn-jwt/os-climate-poc/operators",
"lab:policy:os-climate",
"lab:policy:os-climate/team1",
"lab:policy:os-climate/team2",
"lab:policy:os-climate/team1/awscredentials",
"lab:variable:os-climate/team1/awscredentials/aws-accesskey",
"lab:variable:os-climate/team1/awscredentials/aws-secretkey",
"lab:group:os-climate/team1/awscredentials/secrets-users",
"lab:policy:os-climate/team2/awscredentials",
"lab:variable:os-climate/team2/awscredentials/aws-accesskey",
"lab:variable:os-climate/team2/awscredentials/aws-secretkey",
"lab:group:os-climate/team2/awscredentials/secrets-users",
"lab:policy:jupyterhub",
"lab:host:jupyterhub/notebooks-team1",
"lab:host:jupyterhub/notebooks-team2",
"lab:host:jupyterhub/notebooks-team3",
"lab:group:jupyterhub",
"lab:policy:jupyterhubapps",
"lab:layer:jupyterhubapps/jupyterappslayer1",
"lab:layer:jupyterhubapps/jupyterappslayer2",
"lab:policy:kms-apps",
"lab:host:kms-apps/system:serviceaccount:data-team1:data-team1",
"lab:group:kms-apps"
]
- !policy
id: kms-apps
body:
- &hosts
- !host
id: system:serviceaccount:data-team1:data-team1
annotations:
authn-jwt/os-climate-poc/sub: system:serviceaccount:data-team1:data-team1
- !group
- !grant
role: !group
members: *hosts
- !grant
role: !group conjur/authn-jwt/os-climate-poc/consumers
member: !group kms-apps
I believe the value of the variable conjur/authn-jwt/os-climate-poc/identity-path should be kms-apps, not app-path which is a nonexistent path prefix.
yes, I changed that.
I can login the host id with conjur cli:
# conjur authn login -u host/kms-apps/sa-team1 -p eqz26v3t05axs27qtrsyg1t70q2r67fyg30ae69a2dt69etndym5a
Logged in
And the authn-k8s-client seems to be sending correct url for Authn:
https://conjur-oss.cyberlab.svc.cluster.local/api/authn-jwt/os-climate-poc/lab/host%2Fkms-apps%2Fsa-team1/authenticate
But I am still getting 401 from conjur-oss:
# from conjur-oss server:
lab:user:USERNAME_MISSING failed to authenticate with authenticator authn-jwt service lab:webservice:conjur/authn-jwt/os-climate-poc: CONJ00098E JWT identity configuration is invalid
The message is not clear to me where exactly went wrong.
Not sure you or anyone can suggest how to troubleshoot this?
rigin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] Started POST "/authn-jwt/os-climate-poc/lab/host%2Fkms-apps%2Fsa-team1/authenticate" for 10.129.2.37 at 2022-06-16 19:32:46 +0000
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] Processing by AuthenticateController#authenticate_jwt as HTML
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] Parameters: {:controller=>"authenticate", :action=>"authenticate_jwt", :service_id=>"os-climate-poc", :account=>"lab", :id=>"host/kms-apps/sa-team1"}
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00057I Started authentication flow for authenticator 'authn-jwt'
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00076I Selected signing key interface: 'public-keys'
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00143I Parsing JWKS from public-keys value...
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00139I Successfully fetched audience value 'https://kubernetes.default.svc'
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00054I "issuer" value will be taken from 'issuer'
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00055I Retrieved "issuer" with value 'https://kubernetes.default.svc'
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00068I Fetched JWT claims '["exp", "aud", "iss", "nbf", "iat"]' to validate
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] lab:user:USERNAME_MISSING failed to authenticate with authenticator authn-jwt service lab:webservice:conjur/authn-jwt/os-climate-poc: CONJ00098E JWT identity configuration is invalid
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] CONJ00048I Authentication Error: #<Errors::Authentication::AuthnJwt::IdentityMisconfigured: CONJ00098E JWT identity configuration is invalid>
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] /opt/conjur-server/app/domain/authentication/authn_jwt/identity_providers/create_identity_provider.rb:36:in `create_identity_provider'
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] /opt/conjur-server/app/domain/authentication/authn_jwt/identity_providers/create_identity_provider.rb:23:in `call'
[origin=10.129.2.37] [request_id=afb8f44e-b832-4fe4-8caf-26045789f1d0] [tid=31] (eval):7:in `call'
Application conjur-authn-k8s-client log
INFO: 2022/06/16 19:33:41.483980 authenticator.go:63: CAKC066 Performing authn-jwt
DEBUG: 2022/06/16 19:33:41.484004 authenticator.go:142: CAKC076 Loading JWT from /var/run/secrets/kubernetes.io/serviceaccount/token...
DEBUG: 2022/06/16 19:33:41.484045 authenticator.go:149: CAKC077 Successfully loaded JWT
DEBUG: 2022/06/16 19:33:41.484049 authenticator.go:103: CAKC078 Extracting application identity (host) from configuration...
DEBUG: 2022/06/16 19:33:41.484054 authenticator.go:106: CAKC079 Extracted application identity (host) host/kms-apps/sa-team1 from configuration
DEBUG: 2022/06/16 19:33:41.484060 requests.go:20: CAKC046 Authn request to: https://conjur-oss.cyberlab.svc.cluster.local/api/authn-jwt/os-climate-poc/lab/host%2Fkms-apps%2Fsa-team1/authenticate
DEBUG: 2022/06/16 19:33:41.484076 authenticator.go:124: CAKC069 Sending authn-jwt request...
2022/06/16 19:33:41 Info: Conjur provider received an error on authenticate: status code 401
I did a clean up and included all the configs below.
$ conjur variable value conjur/authn-jwt/os-climate-poc/audience
https://kubernetes.default.svc
$ conjur variable value conjur/authn-jwt/os-climate-poc/identity-path
kms-apps
$ conjur variable value conjur/authn-jwt/os-climate-poc/token-app-property
sub
$ conjur variable value conjur/authn-jwt/os-climate-poc/issuer
https://kubernetes.default.svc
- !policy
id: conjur/authn-jwt/os-climate-poc
body:
- !webservice
- !variable public-keys
- !variable issuer
- !variable token-app-property
- !variable identity-path
- !variable audience
# Group of applications that can authenticate using this JWT Authenticator
- !group consumers
- !permit
role: !group consumers
privilege: [ read, authenticate ]
resource: !webservice
- !webservice status
# Group of users who can check the status of the JWT Authenticator
- !group operators
- !permit
role: !group operators
privilege: [ read ]
resource: !webservice status
--
- !policy
id: kms-apps
body:
- !host
id: sa-team1
annotations:
authn-jwt/os-climate-poc/sub: system:serviceaccount:data-team1:data-team1
- !grant
role: !group conjur/authn-jwt/os-climate-poc/consumers
member: !host kms-apps/sa-team1
--
- !grant
role: !group os-climate/team1/awscredentials/secrets-users
member:
- !host kms-apps/sa-team1
--
[
"lab:policy:root",
"lab:policy:conjur/authn-jwt/os-climate-poc",
"lab:webservice:conjur/authn-jwt/os-climate-poc",
"lab:variable:conjur/authn-jwt/os-climate-poc/public-keys",
"lab:variable:conjur/authn-jwt/os-climate-poc/issuer",
"lab:variable:conjur/authn-jwt/os-climate-poc/token-app-property",
"lab:variable:conjur/authn-jwt/os-climate-poc/identity-path",
"lab:variable:conjur/authn-jwt/os-climate-poc/audience",
"lab:group:conjur/authn-jwt/os-climate-poc/consumers",
"lab:webservice:conjur/authn-jwt/os-climate-poc/status",
"lab:group:conjur/authn-jwt/os-climate-poc/operators",
"lab:policy:os-climate",
"lab:policy:os-climate/team1",
"lab:policy:os-climate/team1/awscredentials",
"lab:variable:os-climate/team1/awscredentials/aws-accesskey",
"lab:variable:os-climate/team1/awscredentials/aws-secretkey",
"lab:group:os-climate/team1/awscredentials/secrets-users",
"lab:policy:kms-apps",
"lab:host:kms-apps/sa-team1"
]
Since the host identity is being provided as the subject field in the token, it should not be specified in the URL. Unset the CONJUR_AUTHN_LOGIN environment variable when running conjur-authn-k8s-client so that Conjur uses the host identity in the token.
The correct authn URL should be https://conjur-oss.cyberlab.svc.cluster.local/api/authn-jwt/os-climate-poc/lab/authenticate without the host segment.