How can I create personal repository by LDAP user?

Hello, I am using vault integrated with LDAP ( Active Directory) using LDAP groups as repository. It´s working fine.

Now I want to create personal repository and grant access to respective user?


AD user = xxuser
secret´s KV repository = xxuser

I want to grant only xxuser to access kv xxuser.



We have this implemented through policy-templates. We created a set of policies (test them, to see if they fit your organisation/version):

# List the users OWN folders only
path "my-secrets/metadata/{{identity.entity.aliases.<LDAP_ACCESSOR>.name}}" {
  capabilities = ["list"]

# Full Access on your own path
path "my-secrets/data/{{identity.entity.aliases.<LDAP_ACCESSOR>.name}}/*" {
  capabilities = ["create", "read", "list", "update", "delete"]

# Delete any version
path "my-secrets/metadata/{{identity.entity.aliases.<LDAP_ACCESSOR>.name}}/*" {
  capabilities = ["read", "list", "delete"]

Much of the remaining information on groups can be found in Learn Module on identity and groups as well as combining the information on the template policies, Mount Bound Aliasses and trial and error redering the acl using /sys/internal/ui/resultant-acl - HTTP API | Vault | HashiCorp Developer ( on test instances ).