We’re using Vault 1.7.0 (and GitHub - banzaicloud/bank-vaults: A Vault swiss-army knife: a K8s operator, Go client with automatic token renewal, automatic configuration, multiple unseal options and more. A CLI tool to init, unseal and configure Vault (auth methods, secret engines). Direct secret injection into Pods.) running in EKS. We’re using GitHub teams to assign vault policies to different users.
Here is a summarised version of the k8s configuration:
vault:
...
spec:
...
externalConfig:
auth:
- type: github
config:
organization: Foo
map:
teams:
# map of GitHub teams to Vault policies
blue-team: blue-team-secrets
green-team: green-team-secrets
secrets:
...
policies:
- name: blue-team-secrets
rules: |
path "static/metadata/blue-team" {
capabilities = ["list"]
}
path "static/data/blue-team/*" {
capabilities = ["list", "read", "create", "update", "delete"]
}
- name: green-team-secrets
rules: |
path "static/metadata/green-team" {
capabilities = ["list"]
}
path "static/data/green-team/*" {
capabilities = ["list", "read", "create", "update", "delete"]
}
I was in the blue-team and can add new versions of secrets under static/data/blue-team. I then added myself to the green-team, but can only read secrets under static/data/green-team. It looks like vault has applied the green-team-secrets policy to my account but only list and read permissions.
I tried renewing my token via the web UI, logging out and logging in again, but to no avail.
Is it possible to see via the Vault web UI which policies Vault thinks apply to me?