Unable to restrict Vault policy names in hcl template

I want to be able to create a policy that will allow to create kubernetes auth role and allow adding only a policy named kuberneted/default. I am using policy template as follows:

    path "auth/kubernetes/role/{{identity.entity.aliases.auth_jwt_lll.metadata.project_id}}" {
      capabilities = ["read","delete", "list", "patch", "update","create"]
      
      allowed_parameters = {
        policies = ["kubernetes/default"]
        bound_service_account_names = []
        bound_service_account_namespaces = []
        ttl = []
      }
    }

This is saved, so I do not thing there is a syntax issue, and also, I found this is working when I remove “kubernetes/default”.

Anywyas, I get the error:

  File "/usr/local/lib/python3.11/site-packages/hvac/adapters.py", line 294, in _raise_for_error
    utils.raise_for_error(
  File "/usr/local/lib/python3.11/site-packages/hvac/utils.py", line 41, in raise_for_error
    raise exceptions.VaultError.from_status(
hvac.exceptions.Forbidden: 1 error occurred:
	* permission denied
, on post https://my.local:443/v1/auth/kubernetes/role/2751

The auth token who holds this policy authenticated using Gitlab-ci ID Token which was jwt generated by Gitlab and it is configured with OIDC/jwt integration in vault. Although i do not believe this is the issue.

I’m pretty sure the fine grained control parameters only work with attributes that have string values. The policy attribute is a list of strings.

You could try something like this to see if it works:

    path "auth/kubernetes/role/{{identity.entity.aliases.auth_jwt_lll.metadata.project_id}}" {
      capabilities = ["read","delete", "list", "patch", "update","create"]
      
      allowed_parameters = {
        policies = [["kubernetes/default"]] # <-- nested a list in the list
        bound_service_account_names = []
        bound_service_account_namespaces = []
        ttl = []
      }
    }

I wouldn’t expect it to work, but would be interested to hear your results.

If you’re a Vault Enterprise customer, Sentinel could be used to achieve your desired result.