vaultArchived
1 messages
Discussions related to Hashicorp Vault
John-Paul Paganoalmost 4 years ago
Vault: v1.9.3 (OSS)
O.S.: Centos7
HA = Enabled
storage_type = Consul v1.11.2
Hi,
I’m deploying Vault with Okta as the auth method. I intend to use ACL templating in policies to give each user control over a personal and persistent (i.e., non-cubbyhole) area of the KV version 2 secrets engine. To wit:
The problem is that the part of the path that is specific to the user:
is not created before the user logs in and is not automatically created after authentication. So, unless I’m totally (and entirely possibly!) misunderstanding how this is supposed to work, I’m left with an awkward workflow that boils down to presetting the paths for hundreds of users (without foreknowledge of whether they even intend to login), or asking them to create directories matching their login ids when they login for the first time.
Additional confusion is wrought by the fact that it doesn’t seem possible to create an empty k/v entry that acts as a “folder”. Is that true?
What is the right way to accomplish what I’m trying to do?
Thanks!
O.S.: Centos7
HA = Enabled
storage_type = Consul v1.11.2
Hi,
I’m deploying Vault with Okta as the auth method. I intend to use ACL templating in policies to give each user control over a personal and persistent (i.e., non-cubbyhole) area of the KV version 2 secrets engine. To wit:
path "kv/data/user/{{identity.entity.aliases.auth_okta_XYZ123.name}}/*"
{
capabilities = [ "create", "update", "read", "delete", "list" ]
}
*etc. related policies*The problem is that the part of the path that is specific to the user:
{{identity.entity.aliases.auth_okta_XYZ123.name}}/*is not created before the user logs in and is not automatically created after authentication. So, unless I’m totally (and entirely possibly!) misunderstanding how this is supposed to work, I’m left with an awkward workflow that boils down to presetting the paths for hundreds of users (without foreknowledge of whether they even intend to login), or asking them to create directories matching their login ids when they login for the first time.
Additional confusion is wrought by the fact that it doesn’t seem possible to create an empty k/v entry that acts as a “folder”. Is that true?
What is the right way to accomplish what I’m trying to do?
Thanks!