I want to use namespaces in a Vault as a Service deployment model where each namespace is for isolated and dedicated use of a particular area within an organisation.
The organisation has some business wide IAM systems and want to enable things like LDAP and Kubernetes authentication methods that can be used by any of the business areas using Vault.
After reading through the Vault website the options seem to be to:
- declare a new auth method in each namespace (using the same auth method configuration e.g. the same LDAP servers & username) that is for exclusive use by that namespace
- declare common global auth methods in a parent namespace and then define policies in that parent namespace that specify which permissions a successful login allows in the child namespaces e.g. to read secrets in the child namespace k/v store
Option 1 requires duplication of auth methods in each namespace and means any update to the backend IAM system e.g. updating the LDAP access URL and/or service account credentials (for Vault to authenticate with) will require updates in every defined namespace where this auth method is declared. This may result in large numbers of duplicate auth methods associated with large numbers of namespaces. It does however allow full autonomy for the child namespace administrators who can declare their own policies and thus determine for example what secrets may be accessed from a login with that method. There is no need to rely on some other team in the organisation performing policy administration to enable access to secrets in their namespace.
Option 2 means (common) auth backends are declared just once and can be used by all business areas/child namespaces. A separate team e.g. a security team would declare and administer the common global auth methods and any updates would be picked up by all child namespaces (no need to make multiple updates as with option 1). This would however require the team e.g. the security team with admin permissions on the parent namespace to declare the policies that allow access into the child namespaces for the auth methods. This means each business area has a dependency on the security team performing policy work for them before they can start using that auth method.
Is there a solution that combines option 1 and 2 so that auth methods are declared just once but allowing the child namespace admins to be fully autonomous without having to rely on some other team performing policy updates at the parent namespace level?