Strictly speaking, policies don’t have members.
I know what you mean, though, and Vault doesn’t have a built in answer for this - it requires the Vault admin to write a program that makes a multitude of different API calls to Vault. Essentially you have to crawl the Vault API yourself, looking for all of the various places policies can be configured.
Key places to look are:
-
identity/entity/id/*in thepoliciesfield -
identity/group/id/*in thepoliciesfield - Read the full list of your auth methods from
sys/authand then for each of them, check the docs for where policies can be configured within them - here are some examples:-
auth/approle/role/*in thetoken_policiesfield -
auth/jwt/role/*in thetoken_policiesfield -
auth/kubernetes/role/*in thetoken_policiesfield -
auth/token/role/*in theallowed_policiesfield -
auth/ldap/groups/*in thepoliciesfield -
auth/ldap/configin thetoken_policiesfield
-
- If you’re using Vault Enterprise, remember to also list namespaces and repeat everything for each namespace
If you have tokens being created directly using auth/token/create rather than logins or token roles, you’d need to care about whatever does that too.