From b006c47887335b8fbf58bb389a64bb17bc491a61 Mon Sep 17 00:00:00 2001 From: Robin Beck Date: Thu, 9 Oct 2025 07:54:07 -0700 Subject: [PATCH] Docs: clarifies supported vault cred library templating parameters (#6114) * clarifies supported vault templating parameters for generic library vs certificates * fixes anchor links --- .../domain-model/credential-libraries.mdx | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/website/content/docs/domain-model/credential-libraries.mdx b/website/content/docs/domain-model/credential-libraries.mdx index b6216d8c17..e0186d9193 100644 --- a/website/content/docs/domain-model/credential-libraries.mdx +++ b/website/content/docs/domain-model/credential-libraries.mdx @@ -59,7 +59,7 @@ Alternatively, you could set the `session_connection_limit` to `1` for any targe - `vault-path` - (required) The path in Vault to request credentials from. - `username` - (required) The username to use with the SSH certificate. -You can create a template for this value using [Vault credential library parameter templating](#vault-credential-library-parameter-templating). +You can create a template for this value using [Vault credential library parameter templating](#vault-generic-credential-library-parameter-templating. - `key_type` - (optional) The type of key to use for the generated SSH private key. The key type is either `ed25519`, `ecdsa`, or `rsa`. @@ -73,7 +73,7 @@ The number of bits depends on the `key_type` value you select: - `ttl` - (optional) The SSH certificate's time-to-live (TTL). -- `key_id` - (optional) The key ID for the created SSH certificate. +- `key_id` - (optional) The key ID for the created SSH certificate. You can create a template for this value using [Vault credential library parameter templating](#vault-certificates-library-parameter-templating). - `critical_options` - (optional) Any critical options that the certificate should be signed for. For more information, refer to the [list of critical options](https://github.com/openssh/openssh-portable/blob/5f93c4836527d9fda05de8944a1c7b4a205080c7/PROTOCOL.certkeys#L221-L269) supported by OpenSSH. @@ -86,11 +86,13 @@ Note that the `permit-pty` value should be set for an interactive shell to funct For more information, refer to OpenSSH's ["valid principals" definition](https://github.com/openssh/openssh-portable/blob/5f93c4836527d9fda05de8944a1c7b4a205080c7/PROTOCOL.certkeys#L176-L181) as well as Vault's documentation for the [SSH secrets engine](https://developer.hashicorp.com/vault/api-docs/secret/ssh#valid_principals). Note that all SSH certificates issued by a Vault SSH certificate credential library use the `SSH_CERT_TYPE_USER` certificate type mentioned in the OpenSSH definition link. -### Vault credential library parameter templating +### Vault parameter templating Sometimes it can be useful to provide information about a Boundary user or account when making a call to Vault. For example, this can allow picking the correct role when asking for database credentials (if roles are separated per-user), or providing a value to encode in an X.509 certificate generated by Vault. You can template user and account information into either the path in Vault, the `POST` request body, or both. -The following Vault template parameters are supported in Boundary. +#### Vault generic credential library parameter templating + +The following Vault template parameters are supported in Boundary's Vault generic credential library. Note that account values are tied to the account associated with the token used to make the call: - `{{.User.Id}}` - The user's ID. @@ -105,7 +107,15 @@ This value may not be populated, or it may be different from the account name us - `{{.Account.Subject}}` - The account's subject, if a subject is used by that type of account. - `{{.Account.Email}}` - The account's email, if email is used by that type of account. -Additionally, there are a couple of useful functions: +#### Vault certificates library parameter templating + +The following Vault template parameters are supported in Boundary's Vault certificate library. +Note that account values are tied to the account associated with the token used to make the call: + +- `{{.User.Name}}` - The user's name from the user resource. +- `{{.Account.Id}}` - The account's ID. + +#### Useful templating functions: The `truncateFrom` function strips the rest of a string after a specified substring. This function is useful for pulling a user or account name from an