It is important to note that dynamic claims are currently supported when working with Vault, and enables you to make a configuration dynamic in nature (allowing workloads to specify workload-specific claim values outside of the Aembit Tenant UI).
When working with Vault Client Token Credential Providers for your Aembit tenant, you have the option to enable the dynamic claims feature. With this feature, you can set either a subject claim, or a custom claim, with either literal strings or dynamic values.
Minimum Versions
Section titled “Minimum Versions”To use the dynamic claims feature, the Agent Injector also needs to be updated to the new minimum version/image (currently 1.9.142) so the new aembit.io/agent-configmap annotation works properly.
Literal strings
Section titled “Literal strings”Literal strings can be placed verbatim into the target claim with no modification or adjustment necessary.
Dynamic values
Section titled “Dynamic values”Aembit Cloud communicates dynamic claim requests to the Agent Proxy following a series of steps which are described below.
-
The template is sent to Agent Proxy.
-
Agent Proxy collects all necessary information and then sends this information to Aembit Cloud.
-
Aembit Cloud replaces template variables with the values provided by Agent Proxy.
The sections below describe how you can support Vault with Aembit dynamic claims.
Configuring Vault (HashiCorp) Cloud
Section titled “Configuring Vault (HashiCorp) Cloud”To enable dynamic claims, you must first configure your HashiCorp Vault instance, since dynamic claims are only applicable to Vault Client Token Credential Providers. Because dynamic claims support is intended for the credential provider type Vault client token, Vault must also be configured to support a matching set of values.
Vault OIDC roles, which are used to log into Vault as part of the Vault client token retrieval, support one or more of the following three bound types:
- bound_subject
- bound_audiences
- generically bound claims
For more detailed information on configuring Vault Cloud, please see the HashiCorp Vault technical documentation.
Client Workload Configuration
Section titled “Client Workload Configuration”If you need to use values from ConfigMap as dynamic claims, you need to configure the aembit.io/agent-configmap annotation for the Client Workload.
For the latest release, you can add this new annotation to a deployment similar to the screenshot shown below.
Here is an example Client Workload YAML with this annotation:
apiVersion: apps/v1kind: Deploymentmetadata: name: example-appspec: replicas: 1 selector: matchLabels: app: example-app template: metadata: labels: app: example-app annotations: aembit.io/agent-inject: "enabled" aembit.io/agent-configmap: '["foo1:bar1", "foo2:bar2"]The Agent Proxy supports Kubernetes ConfigMaps and specific environment variables in dynamic claims.
The following templates are currently supported:
-
k8s.configmap..”.
- Make sure to specify the CONFIGMAP and VALUE (represented by ”.”).
-
os.environment...
- Make sure to specify “K8S_POD_NAME” (represented by .).
-
os.environment..
- Make sure to specify CLIENT_WORKLOAD_ID (represented by ”.”).
Client Workload (Kubernetes) Annotations
Section titled “Client Workload (Kubernetes) Annotations”In order for the Client Workload to retrieve and configure ConfigMap, the Client Workload must be annotated properly. For the latest release, you can add this new annotation to a deployment similar to the screenshot shown below.
Confirm Aembit Authentication to Vault
Section titled “Confirm Aembit Authentication to Vault”If the Client Workload is able to successfully connect to Vault, this confirms that Aembit authenticated to Vault with the configured and properly injected dynamic claims.