Dear all,
I am trying to delegate the management of vault roles and policies to different teams, lets say A & B. Each team has 1 or more k8s clusters, so each team policy allows them to create their own kubernetes auth endpoints within their “paths”
ie:
auth/team-a/k8s1 vs auth/team-b/k8s2
path "sys/auth/team-a/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
They can also create policies to be used in their auth roles under “team paths”, ie:
path "sys/policies/acl/team-a/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
This all works. But members of either team can “attach policies” in the other team’s path to their k8s auth roles which I did not expect. Ie A role created by a team-a member under auth/team-a/k8s1/hahaha can attach sys/policies/acl/team-b/consul-reader, completely bypassing the intended isolation.
I expected that if a user can only access x/team-a paths, any auth endpoints and roles he creates are restricted to x/team-a path?.
Am I missing something obvious? Is this not supported in vault (opensource)?
This is the entire team policy I am testing (example for team-a):
# secrets
path "team-a/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/mounts/team-a/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/auth" {
capabilities = ["list"]
}
path "sys/auth/team-a*" {
capabilities = ["read", "list"]
}
path "sys/auth/team-a/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# policies
path "sys/policies/acl/team-a" {
capabilities = ["list"]
}
path "sys/policies/acl/team-a/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# auth
path "auth/team-a/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}