Templated Policies for K8s

octopus20 · May 17, 2022, 4:35pm

Hello Folks!

I have k8s cluster integrated with Vault and I’m trying to use templated policies instead of defining each path explicitly , I created a policy that uses identity.entity.aliases.auth_accessor.metadata.service_account_namespace in the path so it will match the path to the namespace of any serviceaccount that authenticated via the auth_accessor and allow read and list permmissions

path "secret/{{identity.entity.aliases.auth_accessor.metadata.service_account_namespace}}/*" {
  capabilities = [ "read", "list" ]
}

What I have noticed , when the service get authenticated it get 403 on https GET as show below

vault.read (secret/namespace) , permission denied 403 GET https://vault-url/v11/data/secret/namespace 
vault.read (secret/namespace) , permission denied 403 GET https://vault-url/v11/metadata/secret/namespace

I tried to add /data and /metadata to the policy but no luck!

Can anyone explain to me how Vault GET the secrets? as far as I know, all secrets calls are sent to /v1/secret/path/to/secret , What I have missed in the above policy?

Regards,
Abeer

octopus20 · May 17, 2022, 5:40pm

I fixed the above by allowing read and list on root path secret/* and adding a trailing / to the end of the templated policy path , just like below

path "secret/{{identity.entity.aliases.auth_accessor.metadata.service_account_namespace}}/*/" {
  capabilities = [ "read", "list" ]
}

Thank you!

Topic		Replies	Views
Templated policies for Kubernetes services Vault	2	411	June 24, 2020
How to use templated policy in k8s? Vault	1	190	August 19, 2022
Template Policy Solved Vault	1	248	August 27, 2020
Policy templates for approles Vault	20	1215	November 4, 2021
Access to metadata in policy Vault	0	219	June 7, 2023

Templated Policies for K8s

Related topics