Hey
I was trying to implement a generic rule that will allow each Kubernetes service to access it’s own path. This is what I tried:
path "secret/services/k8s/{{identity.entity.metadata.metadata.service_account_namespace}}/{{identity.entity.metadata.metadata.service_account_name}}/*" {
// Do not allow services to write, create or delete secrets
capabilities = ["read"]
}
But this does not work - anyone managed to write such a generic policy that works?
Just find the solution:
path "kv-v2/data/kubernetes/{{identity.entity.aliases.<kubernetes auth accessor>.metadata.service_account_namespace}}/{{identity.entity.aliases.<kubernetes auth accessor>.metadata.service_account_name}}" {
capabilities = ["read"]
}
To find the accessor, use vault auth list -detailed
Thanks dude! I’ve been struggling with this too for a while, there’s no guide anywhere and didn’t know how to test or see what properties does the identity.entity… object has.
How did you get to this solution?
Thanks again, you saved me a lot of time 