Query what tokens have root policy attached

I am working on an auditing question where I am asked to prove who has full right to our vault servers. I know myself and two of my team mates have the root policy attached to their token but how do i provide proof of that? Is there a way i can see who else has the root policy attached to their account?

I found this one this week:

Maybe it could help you out a little bit in your use case.

Thank you very much for the help.

It turns out that the Python script did not work for me. We have so many accessors in our vault that the scripts times out. Here is how we got around it.

  1. First get the list of the accessors
    vault list auth/token/accessors > all_accessors.txt

  2. The Python script would not return the values properly when we did have the accessors list so I wrote this shell script instead.

#!/usr/bin/env bash
# Get list of all accessors
#vault list auth/token/accessors > all_accessors.txt

echo "Token,DisplayName,CreateTime,ExpireTime,Policies" > vault_admins.txt

# make sure tokens starts out empty`
# shellcheck disable=SC2188
> tokens.txt

# jq command to join an array - https://stackoverflow.com/a/32276111
# the .? - https://unix.stackexchange.com/a/530363
while read -r token; do

  echo -n "\"${token}\"," | tee -a tokens.txt
  payload="{\"accessor\": \"${token}\"}"

  curl \
      -s --header "X-Vault-Token: ${VAULT_TOKEN}" \
      --request POST \
      --data "${payload}" \
      "${VAULT_ADDR}/v1/auth/token/lookup-accessor" | \
      jq -r '
        .? |
        [
          .data.display_name,
          (.data.creation_time | tostring),
          (.data.expire_time | tostring),
          (.data.policies | join("|"))
        ] | @csv
      ' | tee -a tokens.txt

  echo | tee -a tokens.txt
  sleep .2
done < all_accessors.txt

grep ',root' tokens.txt >> vault_admins.txt
1 Like

vault list auth/token/accessors will fail if there are too many tokens. You will get a Error listing auth/token/accessors/: context deadline exceeded error if it takes too long.

If that is the case you may have to increase the max duration. I have not had a chance to test this.

What about this?

vault-auditor -h                                           
Usage: vault-auditor [--version] [--help] <command> [<args>]

Available commands are:
    parse      Parse audit logs to find entity and token counts
    version    Prints the vault-auditor version