I think you may have missed some of the readings. This is not LDAP, but using the userpass. First, enable userpass.
vault auth enable userpass
Then we can list it to see the Accessor:
vault auth list
Path Type Accessor Description
---- ---- -------- -----------
token/ token auth_token_3bdac925 token based credentials
userpass/ userpass auth_userpass_4c49ed54 n/a
We can now create a policy template “own-secret” - I’m showing two scenarios:
vault policy write own-secret - <<EOF
path "{{identity.entity.aliases.auth_userpass_4c49ed54.name}}/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
path "secret/data/{{identity.entity.aliases.auth_userpass_4c49ed54.name}}/*" {
capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
EOF
Now, if we create two users - they both have the own-secret policy :
vault write auth/userpass/users/alain password=alain policies=own-secret
vault write auth/userpass/users/ricardo password=ricardo policies=own-secret
As you did, we create two kv paths:
vault secrets enable -path=alain kv-v2
vault secrets enable -path=ricardo kv-v2
Now when you login as alain :
vault login -method=userpass username=alain
vault read -format=json sys/internal/ui/resultant-acl
...
"glob_paths": {
"alain/": {
"capabilities": [
"create",
"delete",
"list",
"read",
"update",
"patch"
]
},
...
And when you log in as ricardo:
vault login -method=userpass username=ricardo
...
"ricardo/": {
"capabilities": [
"create",
"delete",
"list",
"read",
"update",
"patch"
]
},
...
Still as user ricardo:
root@934036e3b745:/workdir# vault kv put alain/test a=foo
Error making API request.
URL: GET http://vault:8200/v1/sys/internal/ui/mounts/alain/test
Code: 403. Errors:
* preflight capability check returned 403, please ensure client's policies grant access to path "alain/test/"
root@934036e3b745:/workdir# vault kv put ricardo/test a=foo
Key Value
--- -----
created_time 2022-11-02T03:47:19.2550631Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
root@934036e3b745:/workdir#
Links to the docs :
I hope this helps.
NOTE: I was using 1.9.9, there are some changes in 1.12 to create the secrets mounts. Also, the resultant-acl is just to show the actual acl that gets created. You will notice the two polcies in the listings, I only show one. This is the what the second policy path gives for the ricardo user:
"secret/data/ricardo/": {
"capabilities": [
"create",
"delete",
"list",
"read",
"update",
"patch"
]
},