Hi, I’m a Vault newbie and a little confused about whether Vault can meet my needs. I’m looking to build a general RBAC system, and want to manage the policies in Vault. Specifically, I have a set of endpoints that users with roles should have varying levels of access to. e.g.
role 1 can do action 1, action 2, action 3
role 2 can do action 1, action 3
role 3 can do action 2
I started reading the docs on Vault policies, but it seems like this is an RBAC system for Vault itself, to control what secrets can be read? I’m wondering if I can leverage this policy system for general RBAC, perhaps by creating a path for each role? I’m not entirely sure how this works so any information would be helpful. Thanks!
You probably want to look at something like OPA or Casbin, but you could store the actual policies in Vault (e.g. in K/V or encrypted via Transit) to ensure that they have not been tampered with (since we use authenticating ciphers).