Backport of docs: Add complete auth method payloads into release/1.16.x (#18912)
backport of commit 30b6777cb3f04589a7bdd0f6089be2d623454ed2 Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
This commit is contained in:
parent
5e96c31c79
commit
c7f6602f1f
|
@ -62,38 +62,63 @@ The corresponding CLI command is [`consul acl binding-rule create`](/consul/comm
|
|||
- `BindType=service` - The computed bind name value is used as an
|
||||
`ACLServiceIdentity.ServiceName` field in the token that is created.
|
||||
|
||||
<CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
|
||||
|
||||
```json
|
||||
{ ...other fields...
|
||||
{
|
||||
"AccessorID": "<token accessor ID>",
|
||||
"SecretID": "<token secret ID>",
|
||||
"ServiceIdentities": [
|
||||
{ "ServiceName": "<computed BindName>" }
|
||||
{
|
||||
"ServiceName": "<computed BindName>"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
- `BindType=node` - The computed bind name value is used as an
|
||||
`ACLNodeIdentity.NodeName` field in the token that is created.
|
||||
|
||||
<CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
|
||||
|
||||
```json
|
||||
{ ...other fields...
|
||||
{
|
||||
"AccessorID": "<token accessor ID>",
|
||||
"SecretID": "<token secret ID>",
|
||||
"NodeIdentities": [
|
||||
{ "NodeName": "<computed BindName>", "Datacenter": "<local datacenter>" }
|
||||
{
|
||||
"NodeName": "<computed BindName>",
|
||||
"Datacenter": "<local datacenter>"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
- `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
|
||||
field in the token that is created. This binding rule will only apply if a
|
||||
role with the given name exists at login-time. If it does not then this
|
||||
rule is ignored.
|
||||
|
||||
<CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
|
||||
|
||||
```json
|
||||
{ ...other fields...
|
||||
{
|
||||
"AccessorID": "<token accessor ID>",
|
||||
"SecretID": "<token secret ID>",
|
||||
"Roles": [
|
||||
{ "Name": "<computed BindName>" }
|
||||
{
|
||||
"Name": "<computed BindName>"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
- `BindName` `(string: <required>)` - The name to bind to a token at
|
||||
login-time. What it binds to can be adjusted with different values of the
|
||||
`BindType` field. This can either be a plain string or lightly templated
|
||||
|
@ -250,38 +275,63 @@ The corresponding CLI command is [`consul acl binding-rule update`](/consul/comm
|
|||
- `BindType=service` - The computed bind name value is used as an
|
||||
`ACLServiceIdentity.ServiceName` field in the token that is created.
|
||||
|
||||
<CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
|
||||
|
||||
```json
|
||||
{ ...other fields...
|
||||
{
|
||||
"AccessorID": "<token accessor ID>",
|
||||
"SecretID": "<token secret ID>",
|
||||
"ServiceIdentities": [
|
||||
{ "ServiceName": "<computed BindName>" }
|
||||
{
|
||||
"ServiceName": "<computed BindName>"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
- `BindType=node` - The computed bind name value is used as an
|
||||
`ACLNodeIdentity.NodeName` field in the token that is created.
|
||||
|
||||
<CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
|
||||
|
||||
```json
|
||||
{ ...other fields...
|
||||
{
|
||||
"AccessorID": "<token accessor ID>",
|
||||
"SecretID": "<token secret ID>",
|
||||
"NodeIdentities": [
|
||||
{ "NodeName": "<computed BindName>", "Datacenter": "<local datacenter>" }
|
||||
{
|
||||
"NodeName": "<computed BindName>",
|
||||
"Datacenter": "<local datacenter>"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
- `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
|
||||
field in the token that is created. This binding rule will only apply if a
|
||||
role with the given name exists at login-time. If it does not then this
|
||||
rule is ignored.
|
||||
|
||||
<CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
|
||||
|
||||
```json
|
||||
{ ...other fields...
|
||||
{
|
||||
"AccessorID": "<token accessor ID>",
|
||||
"SecretID": "<token secret ID>",
|
||||
"Roles": [
|
||||
{ "Name": "<computed BindName>" }
|
||||
{
|
||||
"Name": "<computed BindName>"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
- `BindName` `(string: <required>)` - The name to bind to a token at
|
||||
login-time. What it binds to can be adjusted with different values of the
|
||||
`BindType` field. This can either be a plain string or lightly templated
|
||||
|
|
|
@ -86,7 +86,9 @@ parameters for an auth method of type `aws-iam`:
|
|||
|
||||
```json
|
||||
{
|
||||
...other fields...
|
||||
"Name": "example-iam-auth",
|
||||
"Type": "aws-iam",
|
||||
"Description": "Example AWS IAM auth method",
|
||||
"Config": {
|
||||
"BoundIAMPrincipalARNs": ["arn:aws:iam::123456789012:role/MyRoleName"],
|
||||
"EnableIAMEntityDetails": true,
|
||||
|
|
|
@ -92,7 +92,9 @@ parameters are required to properly configure an auth method of type
|
|||
|
||||
```json
|
||||
{
|
||||
...other fields...
|
||||
"Name": "example-jwt-auth-static-keys",
|
||||
"Type": "jwt",
|
||||
"Description": "Example JWT auth method with static keys",
|
||||
"Config": {
|
||||
"BoundIssuer": "corp-issuer",
|
||||
"JWTValidationPubKeys": [
|
||||
|
@ -113,7 +115,9 @@ parameters are required to properly configure an auth method of type
|
|||
|
||||
```json
|
||||
{
|
||||
...other fields...
|
||||
"Name": "example-jwt-auth-jwks",
|
||||
"Type": "jwt",
|
||||
"Description": "Example JWT auth method with JWKS",
|
||||
"Config": {
|
||||
"JWKSURL": "https://my-corp-jwks-url.example.com/",
|
||||
"ClaimMappings": {
|
||||
|
@ -131,7 +135,9 @@ parameters are required to properly configure an auth method of type
|
|||
|
||||
```json
|
||||
{
|
||||
...other fields...
|
||||
"Name": "example-oidc-auth",
|
||||
"Type": "oidc",
|
||||
"Description": "Example OIDC auth method",
|
||||
"Config": {
|
||||
"BoundAudiences": [
|
||||
"V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt"
|
||||
|
|
|
@ -61,7 +61,9 @@ parameters are required to properly configure an auth method of type
|
|||
|
||||
```json
|
||||
{
|
||||
...other fields...
|
||||
"Name": "example-k8s-auth",
|
||||
"Type": "kubernetes",
|
||||
"Description": "Example JWT auth method",
|
||||
"Config": {
|
||||
"Host": "https://192.0.2.42:8443",
|
||||
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||
|
|
|
@ -86,7 +86,9 @@ parameters are required to properly configure an auth method of type
|
|||
|
||||
```json
|
||||
{
|
||||
...other fields...
|
||||
"Name": "example-oidc-auth",
|
||||
"Type": "oidc",
|
||||
"Description": "Example OIDC auth method",
|
||||
"Config": {
|
||||
"AllowedRedirectURIs": [
|
||||
"http://localhost:8550/oidc/callback",
|
||||
|
|
|
@ -19,7 +19,11 @@ rule, and the lists of values mapped by `ListClaimMappings` cannot.
|
|||
Assume this is your config snippet:
|
||||
|
||||
```json
|
||||
{ ...other fields...
|
||||
{
|
||||
"Name": "example-auth-method",
|
||||
"Type": "<jwt|oidc>",
|
||||
"Description": "Example auth method",
|
||||
"Config": {
|
||||
"ClaimMappings": {
|
||||
"givenName": "first_name",
|
||||
"surname": "last_name"
|
||||
|
@ -28,6 +32,7 @@ Assume this is your config snippet:
|
|||
"groups": "groups"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
This specifies that the values in the JWT claims `"givenName"` and `"surname"`
|
||||
|
|
Loading…
Reference in New Issue