Policy members - how to identify all members of a policy?

I have a number of policies that control the access to various secrets. Some are R/O and others allow R/W. From time to time I need to do a review of who has R/W access to the secrets. is there a way to query the policy list of what users/tokens are members of a policy?

Strictly speaking, policies don’t have members.

I know what you mean, though, and Vault doesn’t have a built in answer for this - it requires the Vault admin to write a program that makes a multitude of different API calls to Vault. Essentially you have to crawl the Vault API yourself, looking for all of the various places policies can be configured.

Key places to look are:

  • identity/entity/id/* in the policies field
  • identity/group/id/* in the policies field
  • Read the full list of your auth methods from sys/auth and then for each of them, check the docs for where policies can be configured within them - here are some examples:
    • auth/approle/role/* in the token_policies field
    • auth/jwt/role/* in the token_policies field
    • auth/kubernetes/role/* in the token_policies field
    • auth/token/role/* in the allowed_policies field
    • auth/ldap/groups/* in the policies field
    • auth/ldap/config in the token_policies field
  • If you’re using Vault Enterprise, remember to also list namespaces and repeat everything for each namespace

If you have tokens being created directly using auth/token/create rather than logins or token roles, you’d need to care about whatever does that too.

1 Like

A couple of minor wording changes. Policies don’t have members, it’s just a statement that can be applied to a token. There are various auth method that could automatically assign anything who successfully authenticates via that method that policy but there is no way of asking Vault who uses this policy without writing a whole bunch of queries – it’s even worse if you’re using enterprise and use namespaces.

That’s not the whole story though, anyone with enough privileges can simply create a token that uses that policy so it isn’t limited to authentication methods.

Actively, in general there is no way of determining who uses the policy. Passively what we do is keep about 90 days of audit logs in Splunk. There you can write a query to see what/who has been using what. It isn’t a great solution but it’s better than nothing.

1 Like

Thanks Aram and Maxb, for confirming what I was afraid of. I guess I’ll have to look into a script. Luckily my user base is relatively simple so I should be able to come up with something…

1 Like