Question regarding identity groups pull in entities and groups from other namespaces

shdot · August 19, 2022, 3:04am

Hello,

I’m using vault enterprise with multiple namespaces. I read the tutorial here Secure multi-tenancy with namespaces | Vault | HashiCorp Developer, it said

Identity groups can pull in entities and groups from other namespaces.

And in the example, identity group “Training Admin” in namespace “education/training” pulls in entity “Bob Smith” from namespace “education”. I had a try and it works well.

Then I tried to have identity group in namespace “education/training” pull in entity from another namespace “education/programming”, it didn’t work.

Does that mean identity groups can only pull in entities and groups from parent namespaces? Can we clarify the scope of “other namespaces” in tutorial?

Thanks!

maxb · August 19, 2022, 5:14am

I think that is correct.

My understanding is that when you log in to a namespace, you’re by design limited to accessing things within your login namespace and its children.

Therefore in practice you generally want everyone to always log in to the root namespace, when you’re working with multiple business units within an organisation, who need to expose Vault resources to each other.

Logging in to child namespaces is designed only for working with completely isolated tenants with no interactions.

Topic		Replies	Views
HashiCorp Vault - Deny login access to Root namespace for non-Admin users Vault	11	1010	July 2, 2022
Secrets management across namespaces without hierarchical relationship for kubernetes auth Vault k8s , vault	2	259	March 29, 2023
Anyone used ldap within namespace on enterprise? Vault vault	0	282	March 5, 2021
Vault Enterprise - Kerberos Authentication and Namespaces Vault	0	337	December 2, 2020
Approle access to multiple namespaces Vault	1	767	June 9, 2023

Question regarding identity groups pull in entities and groups from other namespaces

Related topics