Folks, is it possible to block (or even create a policy) that will prevent some users to run vault commands like vault disabled auth or vault enabled auth?
At its base - nobody has access to this unless you give it to them. The path you are looking for are :
- Deny - /sys/auth/ and sys/auth/*
AS documented in : /sys/auth - HTTP API | Vault | HashiCorp Developer and /sys/auth - HTTP API | Vault | HashiCorp Developer
What I think might be happening is how are you identifying the “some users” ? Userpass or some other authentication method ? Or are the users just grabbing the root token to do everything ? If its the first - then just don’t give them the policy. If its the second case (all using root) - then the way to do it is to implement authentication to vault, and don’t give them the policies.