Hi all,
I have an idea about using entities, roles and templated policies, but I’m not sure if it’s possible (or even if it’s a good idea).
Our use case is as follows:
We want to use our Vault server as the read-only source of external secrets for our k8s clusters.
We’ll need to configure a kubernetes auth method for each of the clusters.
The idea is to create a single Vault Entity for our “external-secrets” ServiceAccounts that will be connecting to Vault. That entity would then have a kubernetes auth alias created for each of our clusters. Each of these kubernetes auth backends would have a role with the policy attached, granting read-only access to secrets backend for that particular cluster (e.g /k8s/<cluster name>).
<cluster name> would be set on alias metadata.
Ideally, we’d only have to write a single templated policy that would reference “current” alias (i.e. the one used to authenticate the user), something like:
path "k8s/{{ identity.entity.auth_alias.metadata.cluster_name }}/*" {
capabilities = [ "read" ]
}
That policy could then be referenced by roles on each of the k8s auth backends.
Would that be a valid feature request, since I don’t think this is possible at the moment…
Thank you!