Policy members - how to identify all members of a policy?

bthompson · June 1, 2022, 1:15pm

I have a number of policies that control the access to various secrets. Some are R/O and others allow R/W. From time to time I need to do a review of who has R/W access to the secrets. is there a way to query the policy list of what users/tokens are members of a policy?

maxb · June 1, 2022, 6:57pm

Strictly speaking, policies don’t have members.

I know what you mean, though, and Vault doesn’t have a built in answer for this - it requires the Vault admin to write a program that makes a multitude of different API calls to Vault. Essentially you have to crawl the Vault API yourself, looking for all of the various places policies can be configured.

Key places to look are:

identity/entity/id/* in the policies field
identity/group/id/* in the policies field
Read the full list of your auth methods from sys/auth and then for each of them, check the docs for where policies can be configured within them - here are some examples:
- auth/approle/role/* in the token_policies field
- auth/jwt/role/* in the token_policies field
- auth/kubernetes/role/* in the token_policies field
- auth/token/role/* in the allowed_policies field
- auth/ldap/groups/* in the policies field
- auth/ldap/config in the token_policies field
If you’re using Vault Enterprise, remember to also list namespaces and repeat everything for each namespace

If you have tokens being created directly using auth/token/create rather than logins or token roles, you’d need to care about whatever does that too.

aram · June 2, 2022, 7:15am

A couple of minor wording changes. Policies don’t have members, it’s just a statement that can be applied to a token. There are various auth method that could automatically assign anything who successfully authenticates via that method that policy but there is no way of asking Vault who uses this policy without writing a whole bunch of queries – it’s even worse if you’re using enterprise and use namespaces.

That’s not the whole story though, anyone with enough privileges can simply create a token that uses that policy so it isn’t limited to authentication methods.

Actively, in general there is no way of determining who uses the policy. Passively what we do is keep about 90 days of audit logs in Splunk. There you can write a query to see what/who has been using what. It isn’t a great solution but it’s better than nothing.

bthompson · June 2, 2022, 10:16am

Thanks Aram and Maxb, for confirming what I was afraid of. I guess I’ll have to look into a script. Luckily my user base is relatively simple so I should be able to come up with something…

Topic		Replies	Views
How to get the list of users/groups and their policy associations? Vault	1	2137	August 30, 2022
How to clean up unused vault policies Vault	3	387	June 29, 2022
Vault user policy is different in command-line from the one in browser Vault	2	867	December 2, 2019
How to audit Vault paths Vault	1	208	October 26, 2022
Vault 1.9: No more group-inherited identity policies attached to LDAP-user after upgrade from 1.8 Vault	3	933	February 18, 2022

Policy members - how to identify all members of a policy?

Related topics