Allow service identity tokens the ability to read jwt-providers (#17893)

* Allow service identity tokens the ability to read jwt-providers

* more tests

* service_prefix tests

agent/structs/config_entry_jwt_provider.go

@@ -316,6 +316,15 @@ func (e *JWTProviderConfigEntry) GetRaftIndex() *RaftIndex               { retur
 func (e *JWTProviderConfigEntry) CanRead(authz acl.Authorizer) error {
 	var authzContext acl.AuthorizerContext
 	e.FillAuthzContext(&authzContext)
+
+	// allow service-identity tokens the ability to read jwt-providers
+	// this is a workaround to allow sidecar proxies to read the jwt-providers
+	// see issue: https://github.com/hashicorp/consul/issues/17886 for more details
+	err := authz.ToAllowAuthorizer().ServiceWriteAnyAllowed(&authzContext)
+	if err == nil {
+		return err
+	}
+
 	return authz.ToAllowAuthorizer().MeshReadAllowed(&authzContext)
 }
 

agent/structs/config_entry_jwt_provider_test.go

@@ -338,6 +338,24 @@ func TestJWTProviderConfigEntry_ACLs(t *testing.T) {
 					canRead:    false,
 					canWrite:   false,
 				},
+				{
+					name:       "jwt-provider: any service write",
+					authorizer: newTestAuthz(t, `service "" { policy = "write" }`),
+					canRead:    true,
+					canWrite:   false,
+				},
+				{
+					name:       "jwt-provider: specific service write",
+					authorizer: newTestAuthz(t, `service "web" { policy = "write" }`),
+					canRead:    true,
+					canWrite:   false,
+				},
+				{
+					name:       "jwt-provider: any service prefix write",
+					authorizer: newTestAuthz(t, `service_prefix "" { policy = "write" }`),
+					canRead:    true,
+					canWrite:   false,
+				},
 				{
 					name:       "jwt-provider: mesh read",
 					authorizer: newTestAuthz(t, `mesh = "read"`),