Policy for the user to view only their userpass

I would like to create a policy to assign to multiple users. Where each one could only view their userpass and change their password.

Example: I have a user named Lisa, the policy for her to view and modify only her userpass would be:

image

But taking into account that I have several users, I would not want to create a policy for each one, so they can only access your userpass.

Is there some kind of variable in the vault that I could put in the policy, which would take the username? And then you could just create a policy with the variable. Example:

image

In this case, as if {{username}} assumed the name of the logged in user

I think templated policies is what you’re after. I’ve not used the username auth method so I’m not sure this will work but replacing {{username}} with {{identity.entity.name}} might get you what you’re looking for.

1 Like

Unfortunately that didn’t work for me. I’m not sure but it looks like identity.entity.name and identity.entity.id are used for secret access policies like kv version 2

For the identity.entity.name to work properly you would need to pre-populate or rename the identity entity to match the username; by default it’s called entity-<random string>.

I did do some testing and found that changing the password through the UI does not work as the UI form edits the user and not the password directly. Getting a UI based password reset flow would probably require a feature request.

I was able to reset a test users password as the test user using the command vault write auth/userpass/users/my_user/password password=my_new_password when the entity name and username were both set to my_user.

1 Like

Thank you for the help !