Allow service identity tokens the ability to read jwt-providers

hashicorp · Jun 27, 2023 · 72308dd · 72308dd
1 parent 6bc2222
commit 72308dd
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/agent/structs/config_entry_jwt_provider.go b/agent/structs/config_entry_jwt_provider.go
@@ -316,6 +316,15 @@ func (e *JWTProviderConfigEntry) GetRaftIndex() *RaftIndex               { retur
 func (e *JWTProviderConfigEntry) CanRead(authz acl.Authorizer) error {
 	var authzContext acl.AuthorizerContext
 	e.FillAuthzContext(&authzContext)
+
+	// allow service-identity tokens the ability to read jwt-providers
+	// this is a workaround to allow sidecar proxies to read the jwt-providers
+	// see issue: https://github.com/hashicorp/consul/issues/17886 for more details
+	err := authz.ToAllowAuthorizer().ServiceWriteAnyAllowed(&authzContext)
+	if err == nil {
+		return err
+	}
+
 	return authz.ToAllowAuthorizer().MeshReadAllowed(&authzContext)
 }
 

diff --git a/agent/structs/config_entry_jwt_provider_test.go b/agent/structs/config_entry_jwt_provider_test.go
@@ -338,6 +338,12 @@ func TestJWTProviderConfigEntry_ACLs(t *testing.T) {
 					canRead:    false,
 					canWrite:   false,
 				},
+				{
+					name:       "jwt-provider: service write",
+					authorizer: newTestAuthz(t, `service "" { policy = "write" }`),
+					canRead:    true,
+					canWrite:   false,
+				},
 				{
 					name:       "jwt-provider: mesh read",
 					authorizer: newTestAuthz(t, `mesh = "read"`),