Hello,
I’m facing an issue with role configuration, specifically for restricting user access to a certain Kubernetes credential library. Despite configuring the role users are encountering a “not authorized” message. I’m seeking insights or advice on how to effectively resolve this issue.
Context and Setup:
- Credential Libraries:
- I have several credential libraries in Boundary that request tokens from Kubernetes through Vault
- My goal is to configure access so that users can use one specific credential library for authentication in Boundary Desktop.
- Role Configuration:
- I created a role aimed at granting access to this specific Kubernetes credential library.
- The grant format used is
id=LIBRARY_ID;type=*;actions=*
, substitutingLIBRARY_ID
with the actual ID of the library. - Despite this configuration, users assigned to this role receive a “not authorized” error when trying to access the library. When using grants id=* ; type=* ; actions=*, all libraries are visible in the Boundary desktop app but that`s not the intention here.
- Additional Setup Details:
- The credential library and role are within the same scope.
- The role’s
principal_ids
correctly list the users/groups intended for access. - No other conflicting permissions are apparent in the role setup.
- Are there any specific considerations in Boundary’s permission model when configuring access to a specific Kubernetes credential library?
- Could this issue be related to the version of Boundary I’m using? 0.12.1
- Is there an alternative or more effective method to restrict users to a specific credential library when authenticating with boundary desktop, especially for Kubernetes token authentication?
Thanks for your help.