Use Okta groups in Vault template policy

octopus20 · May 13, 2022, 9:17pm

Hi there,

I am trying to use a template policy that dynamically allows users to have permissions based on the group they belongs to.

Auth method: Okta

Let’s say I have group A and group B and I want any member of group A to be able to see secrets under stage/A/* , and any user of group B to have permissions on stage/B/* and prod/B/*

I created the below policy but it’s not working, not sure if I have configured this wrongly or it’s not supported for auth/okta

# View k/v secrets
path "stage/{{identity.entity.alias.auth_okta_accessor.metadata.groups}}/*" {
capabilities = ["read", "list"]
}

path "prod/{{identity.entity.alias.auth_okta_accessor.metadata.groups}}/*" {
capabilities = ["read", "list"]
}

Would appreciate your input on how to make templated policies for okta provider.

cheers,
Abeer

maxb · May 13, 2022, 9:24pm

Unfortunately Vault ACL policy templating does not support this use-case - I resorted to reading the source code trying to figure out if it was possible, as I wanted to do the same thing myself.

To get the result you require, it’s necessary to explicitly provision each group in the Vault Identity system, and link appropriate policies to them.

octopus20 · May 14, 2022, 12:27pm

Thank you @maxb , this is disappointing

It would make the life easier if we can implement it dynamically without the need to provision each single group