Child Token with Policies from Sub Namespace

Vault
1

Hi,

I know this is a rather complex setup and there are ways to make it easer, but I’m rather curios if this could work at all.

Let’s assume I have to following structure:

/ns1
  |- approles/automation_role
  | - token/automation_role(?)
  | - ns2
  |     | - secrets/
  |     |      | - A
  |     |      | - B
  |     | - policies/
  |            | - policy4A
  |            | - policy4B
  | - ns3
         | - secrets/
         |      | - X
         |      | - Y
         | - policies/
         |      | - policy4X
         |      | - policy4Y

The basic idea is: Dedicated admins of ns2 + ns3 manage the policies for their secrets independent. Even from the parent namespace. Now, an automation tool needs to read a secret from one of the namespaces and to prevent accidential leakage, it should only be able to perform the operations as specified in the corresponding policy. E.g.: It needs to work with secret “A”, only operations specified in policy “policy4A” must be permitted.
I think this should be possible by creating a token role which has all the policies associated and then creating an orphan token with just the necessary policy.
But where to put the token role and identities? Can this be implemented in a way that the parent namespace doesn’t need to know about all the policies?

Thanks in advance for your help,
Andreas

2

I got it working after I cleaned up the mess of a PoC and it wasn’t actually that complicated.
No dedicated token role is needed. The steps it took me are:
1.) Create an approle in ns1
2.) Create an identity for the approle
3.) Create all the policies in the sub namespaces
4.) Create an identity group in the sub namespaces and associate the policies with it.
5.) Now add the identity from step 2 (ns1) to the groups of the sub namespaces. I did this with terraform. No idea how it works via CLI.
6.) After login with the approle you can check the associated polcies of login token. It should have the sub namespace policies mentioned under “external_namespace_policies”
7) Finally create an orphan token for the sub namespace with the desired policy in the requests payload. E.g.: curl ... -X POST --data "{ policies: ["policy4A"]}" https://vaultaddr/v1/n1/ns2/auth/token/create-orphan

Hopefully, this helps people fighting with similar problems.