From 5d349cf6f3c32c1e71e1ff71b9b6937d0ac31cc7 Mon Sep 17 00:00:00 2001 From: Blake Covarrubias Date: Tue, 19 Sep 2023 16:34:54 -0700 Subject: [PATCH] docs: Add complete auth method payloads (#18849) This commit modifies the example payloads for various auth methods to remove 'other fields' and instead use complete example payloads. --- .../content/api-docs/acl/binding-rules.mdx | 98 ++++++++++++++----- .../security/acl/auth-methods/aws-iam.mdx | 4 +- .../docs/security/acl/auth-methods/jwt.mdx | 12 ++- .../security/acl/auth-methods/kubernetes.mdx | 6 +- .../docs/security/acl/auth-methods/oidc.mdx | 4 +- .../partials/jwt_claim_mapping_details.mdx | 19 ++-- 6 files changed, 105 insertions(+), 38 deletions(-) diff --git a/website/content/api-docs/acl/binding-rules.mdx b/website/content/api-docs/acl/binding-rules.mdx index 043086f58a..10be5f9d20 100644 --- a/website/content/api-docs/acl/binding-rules.mdx +++ b/website/content/api-docs/acl/binding-rules.mdx @@ -62,38 +62,63 @@ The corresponding CLI command is [`consul acl binding-rule create`](/consul/comm - `BindType=service` - The computed bind name value is used as an `ACLServiceIdentity.ServiceName` field in the token that is created. + + ```json - { ...other fields... - "ServiceIdentities": [ - { "ServiceName": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "ServiceIdentities": [ + { + "ServiceName": "" + } + ] } ``` + + - `BindType=node` - The computed bind name value is used as an `ACLNodeIdentity.NodeName` field in the token that is created. + + ```json - { ...other fields... - "NodeIdentities": [ - { "NodeName": "", "Datacenter": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "NodeIdentities": [ + { + "NodeName": "", + "Datacenter": "" + } + ] } ``` + + - `BindType=role` - The computed bind name value is used as a `RoleLink.Name` field in the token that is created. This binding rule will only apply if a role with the given name exists at login-time. If it does not then this rule is ignored. + + ```json - { ...other fields... - "Roles": [ - { "Name": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "Roles": [ + { + "Name": "" + } + ] } ``` + + - `BindName` `(string: )` - The name to bind to a token at login-time. What it binds to can be adjusted with different values of the `BindType` field. This can either be a plain string or lightly templated @@ -250,38 +275,63 @@ The corresponding CLI command is [`consul acl binding-rule update`](/consul/comm - `BindType=service` - The computed bind name value is used as an `ACLServiceIdentity.ServiceName` field in the token that is created. + + ```json - { ...other fields... - "ServiceIdentities": [ - { "ServiceName": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "ServiceIdentities": [ + { + "ServiceName": "" + } + ] } ``` + + - `BindType=node` - The computed bind name value is used as an `ACLNodeIdentity.NodeName` field in the token that is created. + + ```json - { ...other fields... - "NodeIdentities": [ - { "NodeName": "", "Datacenter": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "NodeIdentities": [ + { + "NodeName": "", + "Datacenter": "" + } + ] } ``` + + - `BindType=role` - The computed bind name value is used as a `RoleLink.Name` field in the token that is created. This binding rule will only apply if a role with the given name exists at login-time. If it does not then this rule is ignored. + + ```json - { ...other fields... - "Roles": [ - { "Name": "" } - ] + { + "AccessorID": "", + "SecretID": "", + "Roles": [ + { + "Name": "" + } + ] } ``` + + - `BindName` `(string: )` - The name to bind to a token at login-time. What it binds to can be adjusted with different values of the `BindType` field. This can either be a plain string or lightly templated diff --git a/website/content/docs/security/acl/auth-methods/aws-iam.mdx b/website/content/docs/security/acl/auth-methods/aws-iam.mdx index 72e17f7cbf..bf4433a1a1 100644 --- a/website/content/docs/security/acl/auth-methods/aws-iam.mdx +++ b/website/content/docs/security/acl/auth-methods/aws-iam.mdx @@ -86,7 +86,9 @@ parameters for an auth method of type `aws-iam`: ```json { - ...other fields... + "Name": "example-iam-auth", + "Type": "aws-iam", + "Description": "Example AWS IAM auth method", "Config": { "BoundIAMPrincipalARNs": ["arn:aws:iam::123456789012:role/MyRoleName"], "EnableIAMEntityDetails": true, diff --git a/website/content/docs/security/acl/auth-methods/jwt.mdx b/website/content/docs/security/acl/auth-methods/jwt.mdx index 1e99502c0c..c019ad18ff 100644 --- a/website/content/docs/security/acl/auth-methods/jwt.mdx +++ b/website/content/docs/security/acl/auth-methods/jwt.mdx @@ -92,7 +92,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-jwt-auth-static-keys", + "Type": "jwt", + "Description": "Example JWT auth method with static keys", "Config": { "BoundIssuer": "corp-issuer", "JWTValidationPubKeys": [ @@ -113,7 +115,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-jwt-auth-jwks", + "Type": "jwt", + "Description": "Example JWT auth method with JWKS", "Config": { "JWKSURL": "https://my-corp-jwks-url.example.com/", "ClaimMappings": { @@ -131,7 +135,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-oidc-auth", + "Type": "oidc", + "Description": "Example OIDC auth method", "Config": { "BoundAudiences": [ "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt" diff --git a/website/content/docs/security/acl/auth-methods/kubernetes.mdx b/website/content/docs/security/acl/auth-methods/kubernetes.mdx index 13f76481c9..a5505f5d0b 100644 --- a/website/content/docs/security/acl/auth-methods/kubernetes.mdx +++ b/website/content/docs/security/acl/auth-methods/kubernetes.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Kubernetes Auth Method +page_title: Kubernetes Auth Method description: >- Use the Kubernetes auth method type to authenticate to Consul with a Kubernetes service account token and receive an ACL token with privileges based on JWT identity attributes. Learn how to configure auth method parameters using this reference page and example configuration. --- @@ -61,7 +61,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-k8s-auth", + "Type": "kubernetes", + "Description": "Example JWT auth method", "Config": { "Host": "https://192.0.2.42:8443", "CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n", diff --git a/website/content/docs/security/acl/auth-methods/oidc.mdx b/website/content/docs/security/acl/auth-methods/oidc.mdx index 0c0f9efda0..677db04ffc 100644 --- a/website/content/docs/security/acl/auth-methods/oidc.mdx +++ b/website/content/docs/security/acl/auth-methods/oidc.mdx @@ -86,7 +86,9 @@ parameters are required to properly configure an auth method of type ```json { - ...other fields... + "Name": "example-oidc-auth", + "Type": "oidc", + "Description": "Example OIDC auth method", "Config": { "AllowedRedirectURIs": [ "http://localhost:8550/oidc/callback", diff --git a/website/content/partials/jwt_claim_mapping_details.mdx b/website/content/partials/jwt_claim_mapping_details.mdx index d5f9415b1a..5d0131471b 100644 --- a/website/content/partials/jwt_claim_mapping_details.mdx +++ b/website/content/partials/jwt_claim_mapping_details.mdx @@ -19,13 +19,18 @@ rule, and the lists of values mapped by `ListClaimMappings` cannot. Assume this is your config snippet: ```json -{ ...other fields... - "ClaimMappings": { - "givenName": "first_name", - "surname": "last_name" - }, - "ListClaimMappings": { - "groups": "groups" +{ + "Name": "example-auth-method", + "Type": "", + "Description": "Example auth method", + "Config": { + "ClaimMappings": { + "givenName": "first_name", + "surname": "last_name" + }, + "ListClaimMappings": { + "groups": "groups" + } } } ```