I have the aws and database secrets engines for dynamic users, it all works well and the policies work well for cli users, we have some users who use the web ui to generate creds, for them i have to add the following to the policy
path “database/roles/*” {
capabilities = [ “list” ]
}
this lists all roles which causes confusion to some of our special users, is it possible to only list the creds they have access to use? I have tried all formats of the path i can think of but either get all or none.
Vault doesn’t support access-based-enumeration so the policies only support listing everything within a folder. You can certainly restrict what roles they can read/open but unfortunately, at this time, you can’t filter what they see when listing.
ok, thanks for the confirmation.