How to restrict a user to list only his own path in kv2 secret engine if there is more number of users paths exists

Vault
1

How to restrict a user to list only his own path in the kv2 secret engine if there is more number of users paths that exist? for example here is the scenario.

Secret along with path “secret/Deployments/satya.yelledi@gmail.com/lnx4395/passwd”

policy is like

path “secret/vaaDeployments/metadata/”
{
capabilities = [“list”]

}
path “secret/Deployments/metadata/{{identity.entity.aliases.auth_oidc_xxxxx.name}}/”
{
capabilities = [“list”]

}
path “secret/Deployments/data/{{identity.entity.aliases.auth_oidc_xxxxx.name}}/*”
{
capabilities = [“list”,“read”]
}

With this policy, OIDC users are able to see all other user’s paths but I wanted to restrict only to the user’s own path. I have tried removing

path “secret/vaaDeployments/metadata/”
{
capabilities = [“list”]

}
and then the user is unable to list his own secrets too.

2

It sounds like you are wanting to have the list operation return a list of entries, filtered to what the user has further permissions to work with.

Unfortunately, this is not a feature currently implemented by Vault. Vault only supports revealing, or forbidding access, to the list of names located in a particular “directory”.

In this respect, it is similar to how regular computer filesystems behave on Linux and Windows.

In the short term, your only options are to allow users to see the entire list of user IDs, or to deny the listing completely - at which point users would have to know the correct form of their user ID to enter by typing it manually, to browse within that container.

Perhaps in the future, HashiCorp might decide to remedy this feature gap.