From c7f6602f1ffc03cc86e24cf3ee2afc60cca3568e Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Wed, 20 Sep 2023 20:22:36 -0400 Subject: [PATCH] Backport of docs: Add complete auth method payloads into release/1.16.x (#18912) backport of commit 30b6777cb3f04589a7bdd0f6089be2d623454ed2 Co-authored-by: Blake Covarrubias --- .../content/api-docs/acl/binding-rules.mdx | 98 ++++++++++++++----- .../security/acl/auth-methods/aws-iam.mdx | 4 +- .../docs/security/acl/auth-methods/jwt.mdx | 12 ++- .../security/acl/auth-methods/kubernetes.mdx | 6 +- .../docs/security/acl/auth-methods/oidc.mdx | 4 +- .../partials/jwt_claim_mapping_details.mdx | 19 ++-- 6 files changed, 105 insertions(+), 38 deletions(-) diff --git a/website/content/api-docs/acl/binding-rules.mdx b/website/content/api-docs/acl/binding-rules.mdx index 043086f58..10be5f9d2 100644 --- a/website/content/api-docs/acl/binding-rules.mdx +++ b/website/content/api-docs/acl/binding-rules.mdx @@ -62,38 +62,63 @@ The corresponding CLI command is [`consul acl binding-rule create`](/consul/comm - `BindType=service` - The computed bind name value is used as an `ACLServiceIdentity.ServiceName` field in the token that is created. + + ```json - { ...other fields... - "ServiceIdentities": [ - { "ServiceName": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "ServiceIdentities": [ + { + "ServiceName": "" + } + ] } ``` + + - `BindType=node` - The computed bind name value is used as an `ACLNodeIdentity.NodeName` field in the token that is created. + + ```json - { ...other fields... - "NodeIdentities": [ - { "NodeName": "", "Datacenter": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "NodeIdentities": [ + { + "NodeName": "", + "Datacenter": "" + } + ] } ``` + + - `BindType=role` - The computed bind name value is used as a `RoleLink.Name` field in the token that is created. This binding rule will only apply if a role with the given name exists at login-time. If it does not then this rule is ignored. + + ```json - { ...other fields... - "Roles": [ - { "Name": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "Roles": [ + { + "Name": "" + } + ] } ``` + + - `BindName` `(string: )` - The name to bind to a token at login-time. What it binds to can be adjusted with different values of the `BindType` field. This can either be a plain string or lightly templated @@ -250,38 +275,63 @@ The corresponding CLI command is [`consul acl binding-rule update`](/consul/comm - `BindType=service` - The computed bind name value is used as an `ACLServiceIdentity.ServiceName` field in the token that is created. + + ```json - { ...other fields... - "ServiceIdentities": [ - { "ServiceName": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "ServiceIdentities": [ + { + "ServiceName": "" + } + ] } ``` + + - `BindType=node` - The computed bind name value is used as an `ACLNodeIdentity.NodeName` field in the token that is created. + + ```json - { ...other fields... - "NodeIdentities": [ - { "NodeName": "", "Datacenter": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "NodeIdentities": [ + { + "NodeName": "", + "Datacenter": "" + } + ] } ``` + + - `BindType=role` - The computed bind name value is used as a `RoleLink.Name` field in the token that is created. This binding rule will only apply if a role with the given name exists at login-time. If it does not then this rule is ignored. + + ```json - { ...other fields... - "Roles": [ - { "Name": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "Roles": [ + { + "Name": "" + } + ] } ``` + + - `BindName` `(string: )` - The name to bind to a token at login-time. What it binds to can be adjusted with different values of the `BindType` field. This can either be a plain string or lightly templated diff --git a/website/content/docs/security/acl/auth-methods/aws-iam.mdx b/website/content/docs/security/acl/auth-methods/aws-iam.mdx index 72e17f7cb..bf4433a1a 100644 --- a/website/content/docs/security/acl/auth-methods/aws-iam.mdx +++ b/website/content/docs/security/acl/auth-methods/aws-iam.mdx @@ -86,7 +86,9 @@ parameters for an auth method of type `aws-iam`: ```json { - ...other fields... + "Name": "example-iam-auth", + "Type": "aws-iam", + "Description": "Example AWS IAM auth method", "Config": { "BoundIAMPrincipalARNs": ["arn:aws:iam::123456789012:role/MyRoleName"], "EnableIAMEntityDetails": true, diff --git a/website/content/docs/security/acl/auth-methods/jwt.mdx b/website/content/docs/security/acl/auth-methods/jwt.mdx index 1e99502c0..c019ad18f 100644 --- a/website/content/docs/security/acl/auth-methods/jwt.mdx +++ b/website/content/docs/security/acl/auth-methods/jwt.mdx @@ -92,7 +92,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-jwt-auth-static-keys", + "Type": "jwt", + "Description": "Example JWT auth method with static keys", "Config": { "BoundIssuer": "corp-issuer", "JWTValidationPubKeys": [ @@ -113,7 +115,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-jwt-auth-jwks", + "Type": "jwt", + "Description": "Example JWT auth method with JWKS", "Config": { "JWKSURL": "https://my-corp-jwks-url.example.com/", "ClaimMappings": { @@ -131,7 +135,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-oidc-auth", + "Type": "oidc", + "Description": "Example OIDC auth method", "Config": { "BoundAudiences": [ "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" diff --git a/website/content/docs/security/acl/auth-methods/kubernetes.mdx b/website/content/docs/security/acl/auth-methods/kubernetes.mdx index 13f76481c..a5505f5d0 100644 --- a/website/content/docs/security/acl/auth-methods/kubernetes.mdx +++ b/website/content/docs/security/acl/auth-methods/kubernetes.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Kubernetes Auth Method +page_title: Kubernetes Auth Method description: >- Use the Kubernetes auth method type to authenticate to Consul with a Kubernetes service account token and receive an ACL token with privileges based on JWT identity attributes. Learn how to configure auth method parameters using this reference page and example configuration. --- @@ -61,7 +61,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-k8s-auth", + "Type": "kubernetes", + "Description": "Example JWT auth method", "Config": { "Host": "https://192.0.2.42:8443", "CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n", diff --git a/website/content/docs/security/acl/auth-methods/oidc.mdx b/website/content/docs/security/acl/auth-methods/oidc.mdx index 0c0f9efda..677db04ff 100644 --- a/website/content/docs/security/acl/auth-methods/oidc.mdx +++ b/website/content/docs/security/acl/auth-methods/oidc.mdx @@ -86,7 +86,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-oidc-auth", + "Type": "oidc", + "Description": "Example OIDC auth method", "Config": { "AllowedRedirectURIs": [ "http://localhost:8550/oidc/callback", diff --git a/website/content/partials/jwt_claim_mapping_details.mdx b/website/content/partials/jwt_claim_mapping_details.mdx index d5f9415b1..5d0131471 100644 --- a/website/content/partials/jwt_claim_mapping_details.mdx +++ b/website/content/partials/jwt_claim_mapping_details.mdx @@ -19,13 +19,18 @@ rule, and the lists of values mapped by `ListClaimMappings` cannot. Assume this is your config snippet: ```json -{ ...other fields... - "ClaimMappings": { - "givenName": "first_name", - "surname": "last_name" - }, - "ListClaimMappings": { - "groups": "groups" +{ + "Name": "example-auth-method", + "Type": "", + "Description": "Example auth method", + "Config": { + "ClaimMappings": { + "givenName": "first_name", + "surname": "last_name" + }, + "ListClaimMappings": { + "groups": "groups" + } } } ```