Enable individual password change

diegofaleirosdossant · June 6, 2023, 8:51pm

I can’t release changing passwords for local users individually. Even with the policy created, it does not respect password changes only for the logged in user, having to grant access to all users so that they can change their password, which is a security breach.
Follows established policy.

# List auth methods
path "sys/auth"
{
  capabilities = ["list", "read"]
}

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["list", "read","write"]
}

# Change individually password
path "auth/userpass/users/{{identity.entity.aliases.auth_userpass_6e9f2226.name}}" {
  capabilities = ["list", "read", "update"]
  allowed_parameters = {
    "password" = []
  }
}

if I do not put the “write” option in the path “auth/*” the user receives a message of access denied, however if I put the “write” it releases the user to change all the created logins.

maxb · June 6, 2023, 9:19pm

The formatting of your policy is all messed up… please: Welcome to the forum - please reformat your message

maxb · June 6, 2023, 9:25pm

Reading past the mangled formatting as best I can, I see nothing severely wrong with the policy. It should work as intended. You will need to explain in greater detail what is not working as you desire.