ContextQMD
Back to Infisical

Machine identities

docs/documentation/platform/access-controls/abac/managing-machine-identity-attributes.mdx

0.159.263.7 KB
Original Source

Machine identities can have metadata set manually, just like users. In addition, during the machine authentication process (e.g., via OIDC), extra attributes called claims—are provided, which can be used in your ABAC policies.

Setting Metadata on Machine Identities

<Tabs> <Tab title="Manually Configure Metadata"> <Steps> <Step title="Navigate to the Access Control page on the organization sidebar and select a machine identity."> 
  </Step>
  <Step title="On the machine identity page, click the pencil icon to edit the selected identity.">
    
  </Step>
  <Step title="Add metadata via key-value pairs and update the machine identity.">
    
  </Step>
</Steps>
</Tab> </Tabs>

Accessing Attributes From Machine Identity Login

When machine identities authenticate, they may receive additional payloads/attributes from the service provider. For methods like OIDC, these come as claims in the token and can be made available in your policies.

<Tabs> <Tab title="OIDC Login Attributes"> 1. Navigate to the Identity Authentication settings and select the OIDC Auth Method. 2. In the **Advanced section**, locate the Claim Mapping configuration. 3. Map the OIDC claims to permission attributes by specifying: - **Attribute Name:** The identifier to be used in your policies (e.g., department). - **Claim Path:** The dot notation path to the claim in the OIDC token (e.g., user.department). 
For example, if your OIDC provider returns:

```json
{
  "sub": "machine456",
  "name": "Service A",
  "user": {
    "department": "engineering",
    "role": "service"
  }
}
```

You might map:

- **department:** to `user.department`
- **role:** to `user.role`

Once configured, these attributes become available in your policies using the following format:

```
{{ identity.auth.oidc.claims.<permission claim name> }}
```
</Tab> <Tab title="Kubernetes Login Attributes"> For identities authenticated using Kubernetes, the service account's namespace and name are available in their policy and can be accessed as follows: 
```
{{ identity.auth.kubernetes.namespace }}
{{ identity.auth.kubernetes.name }}
```
</Tab> <Tab title="AWS Attributes"> For identities authenticated using AWS Auth, several attributes can be accessed. On top of the 3 base attributes, there's 4 derived from the ARN. The example below includes comments showing how each derived attribute looks like based on this ARN: `arn:aws:iam::123456789012:user/example-user` 
```
{{ identity.auth.aws.accountId }}
{{ identity.auth.aws.arn }}
{{ identity.auth.aws.userId }}

// Derived from ARN
{{ identity.auth.aws.partition }} // aws
{{ identity.auth.aws.service }} // iam
{{ identity.auth.aws.resourceType }} // user
{{ identity.auth.aws.resourceName }} // example-user
```
</Tab> <Tab title="Other Authentication Method Attributes"> At the moment we only support OIDC claims, Kubernetes attributes, and AWS attributes. Payloads on other authentication methods are not yet accessible. </Tab> </Tabs>