I’m searching for the solution about how can I set a policy for the following purpose.
I’m an user, logged in via OIDC from azure. I would like to see the policies what are applied to me.
A user can see the names of the policies affecting them, via the vault token lookup command, or similar data also printed when logging in at the CLI.
However, this is the names, only.
A user can see some information about their access via the sys/internal/ui/resultant-acl API… however, it is incomplete, as it does not include paths using /+/ wildcards.
Access to view policy contents, but only for policies the user possesses, cannot be defined - unless the permission is written out manually for each relevant named policy.
One option might be for the Vault administrator to decide every policy will include a statement giving access to read itself.
However, even that is potentially problematic, as that will prevent administrators who are supposed to be able to write all policies, from writing to policies that they themselves hold.
In short, there isn’t an elegant solution here.