Authentication Archives - ISbyR https://isbyr.com/tag/authentication/ Infrequent Smarts by Reshetnikov Mon, 03 Oct 2022 20:14:02 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.2 How to use an SSH key stored in Azure Key Vault while building Azure Linux VMs using Terraform https://isbyr.com/how-to-use-an-ssh-key-stored-in-azure-key-vault-while-building-azure-linux-vms-using-terraform/ https://isbyr.com/how-to-use-an-ssh-key-stored-in-azure-key-vault-while-building-azure-linux-vms-using-terraform/#comments Mon, 03 Oct 2022 20:14:01 +0000 http://isbyr.com/?p=962 So I want to use the same SSH Public key to be able to authenticate across multiple Linux VMs that I’m building in Azure in Terraform. While I did find a lot of examples (including among Terraform example repo) of how to do it if you have the key stored on your local machine I … Continue reading How to use an SSH key stored in Azure Key Vault while building Azure Linux VMs using Terraform

The post How to use an SSH key stored in Azure Key Vault while building Azure Linux VMs using Terraform appeared first on ISbyR.

]]> So I want to use the same SSH Public key to be able to authenticate across multiple Linux VMs that I’m building in Azure in Terraform. While I did find a lot of examples (including among Terraform example repo) of how to do it if you have the key stored on your local machine I couldn’t find (or didn’t search long enough) how to use an SSH key stored in Azure Key Vault while building Azure Linux VMs using Terraform.

So to reiterate what I have and what I want.

I have:

  • a private key stored on my machine (that will be used in the future)
  • a corresponding public key dev-mgmt-ssh-key stored in an existing Azure Key Vault kv-dev-mgmt (which I don’t want to be managed by Terraform, but only used by it)

I want:

  • Terraform to read the public key that is stored in the Azure Key Vault
  • Terraform to use that key while provisioning new VM(s)

Using Terraform to read a key that is stored in Azure Key Vault

We will be using the data functions to read an existing key, 

# Get existing Key Vault
data "azurerm_key_vault" "kv" {
  name                = "kv-dev-mgmt"
  resource_group_name = "rg-master"
}

# Get existing Key
data "azurerm_key_vault_key" "ssh_key" {
  name         = "dev-mgmt-ssh-key"
  key_vault_id = data.azurerm_key_vault.kv.id
}

Step 1: we used azurerm_key_vault to access an Azure Key Vault resource by specifying the Resource Group and Key Vault names

Step 2: we used azurerm_key_vault_key to access our key by providing a Key Vault Id and the Key name

Now we have the key stored in ssh_key for future reference.

Providing an ssh public key to Azure Linux VM in Terraform 

# Create a VM
resource "azurerm_linux_virtual_machine" "main" {
  name                            = .....
  resource_group_name             = .....
  location                        = .....
  size                            = .....
  admin_username                  = "adminuser"
  admin_ssh_key {
    username = "adminuser"
    public_key = data.azurerm_key_vault_key.ssh_key.public_key_openssh
  }
  disable_password_authentication = true

Note: I have reducted all the configuration lines that are irrelevant to the SSH section (like image type, networking, disk, etc.)

We are passing the public_key_openssh attribute of our ssh_key data source to the public_key property of the admin_ssh_key.

We also disable password authentication by setting the disable_password_authentication to true.

Error: decoding … for public key data

As a bonus, I initially tried to use the public_key_pem attribute of the ssh_key key data source, but that, while being able to pass Terraform validate step didn’t work when running apply and was failing with ‘Error: decoding “admin_ssh_key.0.public_key” for public key data” message.

The post How to use an SSH key stored in Azure Key Vault while building Azure Linux VMs using Terraform appeared first on ISbyR.

]]> https://isbyr.com/how-to-use-an-ssh-key-stored-in-azure-key-vault-while-building-azure-linux-vms-using-terraform/feed/ 3 Return user roles in Auth0 https://isbyr.com/return-user-roles-in-auth0/ https://isbyr.com/return-user-roles-in-auth0/#comments Tue, 07 May 2019 20:03:22 +0000 http://isbyr.com/?p=441 I wanted to play with SAML Authentication in Splunk and decided to use Auth0 is my SAML Identity Provider (IdP). Since i’ve never worked with Auth0 I just followed the SAML SSO with Auth0 as Service Provider and as an Identity Provider tutorial,, which worked well, but when I tried to use Splunk as Service … Continue reading Return user roles in Auth0

The post Return user roles in Auth0 appeared first on ISbyR.

]]> I wanted to play with SAML Authentication in Splunk and decided to use Auth0 is my SAML Identity Provider (IdP).
Since i’ve never worked with Auth0 I just followed the SAML SSO with Auth0 as Service Provider and as an Identity Provider tutorial,, which worked well, but when I tried to use Splunk as Service Provider(SP), i.e. SAML service consumer, I noticed that roles are not returned by Auth0 SAML assertion, so I had to find a way to return user roles in Auth0 together with other user’s information.

Of course the  prerequisite of returning roles assigned to the user is to have them defined, so configure a few Roles under the User & Roles section on the left and assign 1 or more rule to a user.

Auth0 Roles

I’ve created bu1_p and bu2_p (as for Business Unit 1/2 – Power User).

Next you will need to configure a Rule.

“Rules are JavaScript functions that execute when a user authenticates to your application. They run once the authentication process is complete, and you can use them to customize and extend Auth0’s capabilities.”

So from different sources I’ve stitched up a simple rule that adds roles assigned to a user and adds them to the user context.

Go to Rules and create a new Rule using empty rule template

Update the function to look like this:

function (user, context, callback) {
  // Get the user roles from the Authorization context
  const assignedRoles = (context.authorization || {}).roles;
  // Update the user object.
  user.rolez = assignedRoles;
  callback(null, user, context);
}

Save it.

If you want to test it by clicking “TRY THIS RULE” button, but don”t forget to update the context to include the  authorization with the roles (last couple of lines in the snippet below)

{
  "clientID":            "123456789",
  "clientName":          "MyWebApp",
  "connection":          "MyDbConn",
  "connectionStrategy":  "auth0",
  "protocol":            "oidc-basic-profile",
  "request": {
    "query":             { "scope": "openid" },
    "body":              {},
    "userAgent":         "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36",
    "ip":                "X.X.X.X",
    "geoip":             { "country_code":"AR", "country_code3":"ARG", "country_name":"Argentina", "region":"08", "city":"Federal", "postal_code":"3180", "latitude":-30.954599380493164, "longitude":-58.78329849243164, "continent_code":"SA", "time_zone":"America/Argentina/Buenos_Aires" }  },
  "samlConfiguration":   {},
  "stats":               { "loginsCount": 5 },
  "accessToken":         {},
  "idToken":             {},
  "authorization": {
    "roles" : "role1, role2"
  }
}

 

That’s it, now the authorization will return user roles in Auth0 as “rolez” attribute

Rule Try Output

The post Return user roles in Auth0 appeared first on ISbyR.

]]> https://isbyr.com/return-user-roles-in-auth0/feed/ 1