Hi all, I’m wondering if there is a way to get a cubbyhole-type set up where the secrets are scoped per entity as opposed to per token. We have users utilizing the Vault Web UI and for those users cubbyhole behaves rather unintuitively. As a Web UI user, I would expect that each time I log in, using a method such as username/password, I get access to the same cubbyhole. The problem is that each Web UI session appears to be tied to a new token so all previously saved cubbyhole secrets are lost.
I’ve read through and I am aware of the workaround proposed in the thread Cubbyhole but with a twist. However, I don’t particularly like that solution because it is quite different from the idea behind a cubbyhole, especially for Web UI users. You can set up a kv storage with policies as explained in that thread, but to make this work nicely in the Web UI, you also have to give users the ability to list all prefixes, so that they can easily navigate to the kv prefix associated with their username. This is far from ideal, since a user doesn’t shouldn’t need to know about other Vault users to be able to access their own “private” secrets.
With open source version you can create per user policy, which gives them access to their own KV path.
The closets thing is an enterprise license, with namespaces per user.
Neither is ideal and a lot to manage, you would have to build some sort of gitop process to make it repeatable for onboarding.