Did anything like this get added to Vault as a feature, either in F/OSS or Enterprise versions? I have a client that is requesting the ability to determine “who” (machine or user) can access a given path. Something like: “Given path X, users b, c, d, and e have update access, users b, c have create access, users b, c, d, e, and g have read access”, etc.
Nothing like that has been added, because there is no “explicite link” between a “user” and a “policy” - it all depends what auth method is used, and even with that, what attributes get extracted.
Depending on how your auth engines are set up, this could be simple ( eg: userpass ) or very complicated ( JWT with Attributes and multiple policy templates ).
As an example - Userpass with groups:
User x, belongs to group A
All users have policy U
group A has policy G
policy A + policy G has access to the following.
As a more complex example from one of mine, we use JWT Auth for gitlab pipelines - as well as LDAP for users. From LDAP, users have full access to /my-secrets/[usename]/*. GitLab pipelines authenticate using JWT’s ( they are a “user” ). Using information from the JWT, the runners have read access to :