Templated ACL policies using LDAP Groups

Hi there,

Recently, I worked on implementing something called “Templated ACL policies”. The goal of this implementation was to create a “KV Engine” with a specific path: “/user_secrets/{LDAP_USER}/priv”. This allows a user to access their own secrets in a dynamic path that contains his/her username.

The policy applied was:

path /user_secrets/data/{{identity.entity.aliases.auth_ldap_62a0e103.metadata.name}}/priv/*"
{
  capabilities = ["read", "create", "list", "delete", "update"]
}

For example: An {LDAP_USER} logged as johndoe, he belongs to groups=[“admin”, “devops”].

johndoe can [“read”, “create”, “list”, “delete”, “update”] in the path “/user_secrets/data/johndoe/priv/*”.

I need to do the same but with his groups in another KV Engine with path “/groups_secrets/data/{LDAP_GROUP}/priv/*”:

For example: That johndoe can read or list of the path:
“/groups_secrets/data/devops/priv/*”

How Can I do this?

In ACL Policy Path Templating, an option with groups is not specified.

Thanks in advance.

I looked into this in depth myself too, at my former organization.

It is not possible.

The reason it is not possible comes in two parts:

1. There is no ACL policy path template expression that expands to the list of group names a user is a member of

2. Even if someone wanted to make a change to the Vault code to introduce such a feature, they would first have to deal with the challenge, that users are generally in multiple groups, but the current ACL policy path templating expansion, cannot expand in such a way as to cause one path expression to generate multiple resulting paths.

Unfortunately, the practical answer with the Vault of today, is to accept that you’ll need automation external to Vault that builds and uploads dynamically generated policies as the list of groups which need to store data changes.

Hi maxb!!!
I suspected the same and you confirmed it.

Thanks a lot for your anwser