Policy templates for approles

I have a number of different microservices, each with that fall under an environment and app name. There are over 10 combinations at the moment, and that number will be growing. I’d like to write simple policies to for them to access their own secrets. The policy would look something as follows:

path "secret/{{identity.entity.metadata.environment}}/services/common/*" {
  capabilities = ["read"]

path "secret/{{identity.entity.metadata.environment}}/services/{{identity.entity.metadata.service}}/*" {
  capabilities = ["read"]
  • Because services are really machines, approle authentication seems most appropriate.
  • Policy templating seems to support reading metadata from identity.entity.metadata, however, I’ve not been able successfully create an alias for entity from an approle (userpass is fine as in the example).
  • approle does not seem to support metadata and policy templating does not seem to expose any access to approle data anyway.

Is this a shortcoming of Vault as of now? Should I just use userpass for the timebeing?

Even i am also facing the same. I think policy templates doesn’t have support for approles

Can you provide the steps you’ve been using to create the policy, AppRole role, Identity Entity (including policy and metadata assignment), and Identity Alias?

I was able to get this working in a dev server without issue.

Actually i Created a userpass user. He has access only to login to specific role.This role actually has access to read and write secrets.

Secret mount path will be different for different user.So, instead of creating separate policy for each role, can we leverage policy template for app roles.

Can you share the policy which worked for you

Policy was the same as in the original post but I added the ability to list all secrets to make the GUI easier to navigate and added in the /data sub folder so it works with KVv2.

path "secret/metdata/*" {
  capabilities = ["read", "list"]

path "secret/data/{{identity.entity.metadata.environment}}/services/common/*" {
  capabilities = ["read"]

path "secret/data/{{identity.entity.metadata.environment}}/services/{{identity.entity.metadata.service}}/*" {
  capabilities = ["read"]

But entity alias is not working app roles. If we map app role to. an entity by creating an alias it is creating a new entity again.

In your case have you mapped approle to entity to get this policy work

Yes, it works fine.

Please share the steps you’re taking to create the policy, AppRole role, Identity Entity, and Identity Entity Alias and I can review to see where things may be going wrong.

I have created a userpass user bhardwaj.nithin and mapped him to the entity nithin by creating an alias for the entity and attached the following policy to the userpass user

#To Get approle role-id
path “auth/user-secrets-role/role/read-write-role/role-id”
capabilities = [ “read”,“list” ]

#To generate secret-id mounted in the specified path
path “auth/user-secrets-role/role/read-write-role/secret-id”
capabilities = [“create”, “read”, “list”,“update” ]

I have create a app role read-write-role and mapped him to the entity nithin by creating an alias for the entity and attached the following policy to the role read-write-role

Grant permissions on user specific path

path “secret/{{identity.entity.name}}/*” {
capabilities = [ “create”, “update”, “read”, “delete”, “list” ]

The entity nithin has two aliases one the userpass and the other approle.

What are you using for the AppRole alias name to map to the nithin entity?

I am using name of the approle as alias name

I think that’s your issue. You need to use the role_id as the name of the Alias (make sure it’s bound to the correct AppRole mount as well).

1 Like

If i give role id from UI , it is showing saved successfully but not able to see this under aliases

What version of Vault are you running?
Do you get the same result when using the CLI or API?
Also, can you provide a series of screenshots to show what you’re experiencing in the GUI?

Thank you so much.This is super useful.It got resolved. Entered wrong role-id

As we have different users. Can we map the same role as alias to different entities instead of creating separate role.
I am not able to add the same role as alias for different entities

You’ll probably want to leverage internal Identity Groups for this. I’ve not used them much so it might take some experimentation on your end. But you should be able to apply the policy to the group and then make the user_pass Entity a member and make the AppRole Entity a member (note that the AppRole and user_pass Entities should be distinct). When you assign policies to the group they will apply to the members when the members log in.

You can also assign metadata to the group. This should get you what you’re after, if I’m understanding correctly.

In this case also, we may have to create different roles for different users right.

I guess it depends what you’re trying to do. If you want multiple users to have access to a single AppRole then you’d need one AppRole role per group of users. If each user needs their own unique AppRole for some reason then an AppRole role should be created per user (I suppose each user could generate their own secret_id for the single role but then you would likely lose a lot of visibility of who is using the role).

I’m not really sure what the benefit of the latter would be over just the userpass login, however.

Perhaps you could outline your usage scenario and I and/or others can weigh in on the strategy.

My Use case is each user has a secret engine i.e For example, i have two users A and B and have their own secret engine enabled on mount path secret/A and secret/B.

To access the secret, i want the user to read the secret using the following steps.

  1. Login with the userpass user name and password and get the token
  2. Use the token generated in Step-1 and get the role id
  3. Use the token generated in Step-1 and get the secret id
  4. Login to Approle using the role id and secret id generated in Step-2 and Step-3 and Get the token
  5. Use the token generated in step 4 to fetch the secret

Here the user has the access only to get role id and secret-id and app role will have access only to fetch the secret.

The problem i am facing is to create a single app role and attach it is alias for multiple user entities. It is working if i attach it to single entity.