Restricting group from using vault

ImDanchik · March 2, 2021, 2:33pm

Hey,
I am running vault and using OIDC as my auth method.
I also have a group with an alias of one of my user’s groups.

My problem is that anyone on my domain can access my vault using OIDC
and I want to make sure that only members belonging to the group with the alias can access the vault.
I tried solving it by changing the default policy to:

path "*" {
   capabilities = ["deny"]
}

and creating a policy named admin that looks like this:

path "*" {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

and applying the admin policy to my group with the alias.
But that way, when I try to login to vault using OIDC (who is a member of that group with the admin policy) the default policy denies the login.

Do you have any suggestions to the best solution for this problem?

ixe013 · March 3, 2021, 10:35pm

Yes, deny has priority on the other rules.

There are two things happening here : authentication and authorization. Vault allows you to log in if you succeed the authentication step. You will see nothing other than the cubby hole (in the UI). I don’t know how you could change that.

In other words, if someone can authenticate, they can use the cubbyhole if they want to. A user with no policies at all is a valid user for Vault.

A policy will allow a selected set of users to use the kv store or whatever mount you have.

If you want to keep users that are not “authorized” to use Vault, the only thing you can work with I’m afraid is your authentication mechanism.

To solve a similar problem, I made a pull request to the LDAP auth backend so that it is possible to filter out users based on some LDAP attribute. For example, you could set a filter that prevents contractors and intern from logging in, even if they provide the right password.