Rate limitation related to policy \ role

Hi, people!

I created role for AWS authentication in Vault. I need a possibility to use rate limits related to such role for one of my secret engines.
I found in documentation only global rules that affect all roles.

Is it possible to assign rate limits for specific path to the specific policy or role?

You can have as many rate limits as you want. The most strict will apply at the end.
The name of the rate-limit makes it unique.

You can rate limit by path.

$ vault list sys/quotas/rate-limit
$ vault read -format=json sys/quotas/rate-limit/global-auth-token | jq .data
  "block_interval": 300,
  "interval": 60,
  "name": "global-auth-token",
  "path": "auth/token/",
  "rate": 20,
  "type": "rate-limit"

Thanks for your answer, aram.
I mean a little different thing. Let me show example with AWS auth.

I enabled AWS auth and wrote configuration for access:

vault auth enable aws
vault write auth/aws/config/client secret_key=<secret> access_key=<access>

After that I created role that will be able to authenticate via such mechanism:

vault write auth/aws/role/my-test-role \
   auth_type=iam \
   bound_iam_principal_arn=arn:aws:iam::<id>:user/vault-client-test-user \
   policies=my_test_policy \

And also I have my test KV v2 engine: my_test_engine.

I need rate limitation that will affect only my-test-role role or my_test_policy policy, and this rate limitation should be relates only to my_test_engine secret engine.
Is it possible for Vault to make such configuration?

[ Rewrite ]

Sorry I’m rewriting this as I re-read your post.

No, you can’t build on different paths and create a complex rule.

You can rate-limit “a” path, it has no connectivity to other paths or auth or policies. You CAN rate-limit each of the paths but that’s it. Also rate-limiting a policy doesn’t make much sense – unless you’re using that policy in multiple auth setups and you want to limit the rate at which the policy can be requested (not sure that would work anyway – if auth is not rate-limited and succeeds – rating the policy isn’t going to stop the auth from success or failure).

1 Like

For now it is clear for me. Thanks a lot for your answer.