A way to allow a user to change it's own password?

Vault
1

Hello,
I’m having trouble changing the user’s password.
No matter how I look at it, I don’t know.
Please Help me!

  • vault version : v1.9.4

[azureuser@kb-aad-test ~]$ vault auth list
Path Type Accessor Description

azure/ azure auth_azure_262b4556 n/a
token/ token auth_token_63a1df07 token based credentials
userpass/ userpass auth_userpass_b6d16978 n/a

[azureuser@kb-aad-test ~]$ vault write auth/userpass/users/testuser password=test policies=userpass
Success! Data written to: auth/userpass/users/testuser

[azureuser@kb-aad-test ~]$ vault login -method=userpass username=testuser
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run “vault login”
again. Future Vault requests will automatically use this token.

Key Value

token s.0GGttIf7lct3K5SMG1s31vYg
token_accessor Keow4BgtT40gcBlRuD3Hemah
token_duration 768h
token_renewable true
token_policies [“userpass” “default”]
identity_policies
policies [“userpass” “default”]
token_meta_username testuser

[azureuser@kb-aad-test ~]$ vault write auth/userpass/users/testuser password=newpass
Error writing data to auth/userpass/users/testuser: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/userpass/users/testuser
Code: 403. Errors:

  • 1 error occurred:
    * permission denied

My policy is as follows.

path “auth/userpass/users/{{identity.entity.aliases.auth_userpass_b6d16978.name}}” {
capabilities = [ “update” ]
allowed_parameters = {
“password” = [ ]
}
}

What am I missing?
Please comment!

2

There is something else going on because that’s exactly what I have and it’s working fine.

$ vault version 
Vault v1.9.4 (fcbe948b2542a13ee8036ad07dd8ebf8554f56cb)
$ vault auth list | grep userpass
userpass/    userpass    auth_userpass_fd6fd972    n/a

policy matches the accessor

$ vault policy read userpass
path "auth/userpass/users/{{identity.entity.aliases.auth_userpass_fd6fd972.name}}" {
  capabilities = [ "update" ]
  allowed_parameters = {
    "password" = []
  }
}

Verifying access and doing a password update.

$ vault token capabilities $(vault print token) auth/userpass/users/testuser
update
$ vault write auth/userpass/users/testuser password=newpassword
Success! Data written to: auth/userpass/users/testuser
3

This is probably a silly question, but what is the name of your policy? I assume it’s userpass but just want to confirm.

4

Thank you all very much.
At the time of the last test, I think something went wrong while setting up the ui and cli.

So I deleted the vm and recreated it.
After that, I set it neatly only with cli, and I checked the normal operation of the userpass policy!

thanks!

5

Hi all, just arrived here from a search and thought I’d add that, if you want the user to be able to update their password via the Web UI as well, this policy will work for both:

path "auth/userpass/users/{{identity.entity.aliases.<your-mount-accessor>.name}}/password" {
  capabilities = [ "update" ]
}