Rate limitation related to policy \ role

sokdestroy · July 27, 2022, 9:46am

Hi, people!

I created role for AWS authentication in Vault. I need a possibility to use rate limits related to such role for one of my secret engines.
I found in documentation only global rules that affect all roles.

Is it possible to assign rate limits for specific path to the specific policy or role?

aram · July 27, 2022, 6:29pm

You can have as many rate limits as you want. The most strict will apply at the end.
The name of the rate-limit makes it unique.

You can rate limit by path.

$ vault list sys/quotas/rate-limit
Keys
----
global-auth-token
global-rate-limiter
$ vault read -format=json sys/quotas/rate-limit/global-auth-token | jq .data
{
  "block_interval": 300,
  "interval": 60,
  "name": "global-auth-token",
  "path": "auth/token/",
  "rate": 20,
  "type": "rate-limit"
}

sokdestroy · July 28, 2022, 5:43am

Thanks for your answer, aram.
I mean a little different thing. Let me show example with AWS auth.

I enabled AWS auth and wrote configuration for access:

vault auth enable aws
vault write auth/aws/config/client secret_key=<secret> access_key=<access>

After that I created role that will be able to authenticate via such mechanism:

vault write auth/aws/role/my-test-role \
   auth_type=iam \
   bound_iam_principal_arn=arn:aws:iam::<id>:user/vault-client-test-user \
   policies=my_test_policy \
   max_ttl=30s

And also I have my test KV v2 engine: my_test_engine.

I need rate limitation that will affect only my-test-role role or my_test_policy policy, and this rate limitation should be relates only to my_test_engine secret engine.
Is it possible for Vault to make such configuration?

aram · July 28, 2022, 9:33am

[ Rewrite ]

Sorry I’m rewriting this as I re-read your post.

No, you can’t build on different paths and create a complex rule.

You can rate-limit “a” path, it has no connectivity to other paths or auth or policies. You CAN rate-limit each of the paths but that’s it. Also rate-limiting a policy doesn’t make much sense – unless you’re using that policy in multiple auth setups and you want to limit the rate at which the policy can be requested (not sure that would work anyway – if auth is not rate-limited and succeeds – rating the policy isn’t going to stop the auth from success or failure).

sokdestroy · July 29, 2022, 3:55am

For now it is clear for me. Thanks a lot for your answer.