I can’t find information how to allow an approle to access multiple namespaces. As an example I want the approle to be able to read the secrets from the kv store in namespace A and issue certificates with pki which is in namespace B. All the information that I’ve found is for user and user aliases.
Up to Vault 1.12, there is exactly one way to do this: The AppRole auth method used MUST be in a parent namespace to namespaces A and B.
This is because the namespace originally used to authenticate, functions something a bit like a “chroot” in Unix filesystems, forcibly bounding all further operations of that authentication to that namespace and its children.
HashiCorp introduced an opt-out to a different model in Vault 1.13, explained in Secrets Management Across Namespaces without Hierarchical Relationship | Vault | HashiCorp Developer