aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document vault credential library templating (#2635)

Browse Source 
* Document credential library injection

* Add caveat about versions < 0.11.1, remove link
pull/2660/head
Dan Heath 4 years ago committed by GitHub
parent 80f72b8511
commit c506107127
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File

34
website/content/docs/concepts/domain-model/credential-libraries.mdx
Unescape View File

@ -37,6 +37,40 @@ A Vault credential library has the following additional attributes:
The body of the HTTP request the library sends to Vault when requesting credentials.
Only valid if `http_method` is set to `POST`.
### Vault Credential Library Parameter Templating
Some of the secrets engines that generate dynamic users for external systems provide the ability for Vault operators to customize how usernames are generated for those external systems.
For more information, refer to [Username Templating](https://developer.hashicorp.com/vault/docs/concepts/username-templating/).
The following Vault template parameters are supported in Boundary.
Note that account values are tied to the account associated with the token used to make the call:
- `{{.User.Id}}` - The user's ID.
Prior to Boundary 0.11.1, `{{user.id}}` must be used instead.
Boundary 0.11.1+ changes this for consistency with other places within Boundary that are gaining templating support, but supports both formats for backwards compatibility.
- `{{.User.Name}}` - The user's name from the user resource.
- `{{.User.FullName}}` - The user's name from the account corresponding to the primary auth method in the user's scope.
This value may not be populated, or it may be different from the account name used in the template.
- `{{.User.Email}}` - The user's email address from the account corresponding to the primary auth method in the user's scope.
This value may not be populated, or it may be different from the account name used in the template.
- `{{.Account.Id}}` - The account's ID.
Prior to Boundary 0.11.1, `{{account.id}}` must be used instead.
Boundary 0.11.1+ changes this for consistency with other places within Boundary that are gaining templating support, but supports both formats for backwards compatibility.
- `{{.Account.Name}}` - The name of the account from the account resource.
- `{{.Account.LoginName}}` - The account's login name, if a login name is used by that type of account.
- `{{.Account.Subject}}` - The account's subject, if a subject is used by that type of account.
- `{{.Account.Email}}` - The account's email, if email is used by that type of account.
Additionally, there is currently a single function that strips the rest of a string after a specified substring.
This function is useful for pulling a user or account name from an email address.
The following example turns `foo@example.com` into `foo`:
`{{truncateFrom .Account.Email "@"}}`
The example above uses the account email, but it could be any other parameter.
## Referenced By
- [Credential][]

Write Preview
Loading…
Cancel
Save