Templated policies for Kubernetes services

Hey
I was trying to implement a generic rule that will allow each Kubernetes service to access it’s own path. This is what I tried:

path "secret/services/k8s/{{identity.entity.metadata.metadata.service_account_namespace}}/{{identity.entity.metadata.metadata.service_account_name}}/*" {
  // Do not allow services to write, create or delete secrets
  capabilities = ["read"]
}

But this does not work - anyone managed to write such a generic policy that works?

1 Like

Just find the solution:

path "kv-v2/data/kubernetes/{{identity.entity.aliases.<kubernetes auth accessor>.metadata.service_account_namespace}}/{{identity.entity.aliases.<kubernetes auth accessor>.metadata.service_account_name}}" {
  capabilities = ["read"]
}

To find the accessor, use vault auth list -detailed

1 Like

Thanks dude! I’ve been struggling with this too for a while, there’s no guide anywhere and didn’t know how to test or see what properties does the identity.entity… object has.

How did you get to this solution?

Thanks again, you saved me a lot of time :raised_hands: