Use Okta groups in Vault template policy

octopus20 · May 13, 2022, 9:17pm

Hi there,

I am trying to use a template policy that dynamically allows users to have permissions based on the group they belongs to.

Auth method: Okta

Let’s say I have group A and group B and I want any member of group A to be able to see secrets under stage/A/* , and any user of group B to have permissions on stage/B/* and prod/B/*

I created the below policy but it’s not working, not sure if I have configured this wrongly or it’s not supported for auth/okta

# View k/v secrets
path "stage/{{identity.entity.alias.auth_okta_accessor.metadata.groups}}/*" {
capabilities = ["read", "list"]
}

path "prod/{{identity.entity.alias.auth_okta_accessor.metadata.groups}}/*" {
capabilities = ["read", "list"]
}

Would appreciate your input on how to make templated policies for okta provider.

cheers,
Abeer

maxb · May 13, 2022, 9:24pm

Unfortunately Vault ACL policy templating does not support this use-case - I resorted to reading the source code trying to figure out if it was possible, as I wanted to do the same thing myself.

To get the result you require, it’s necessary to explicitly provision each group in the Vault Identity system, and link appropriate policies to them.

octopus20 · May 14, 2022, 12:27pm

Thank you @maxb , this is disappointing

It would make the life easier if we can implement it dynamically without the need to provision each single group

Topic		Replies	Views
How does the mapping groups with Vault-auth-Okta Vault connect , vault	0	220	September 27, 2023
Templated ACL policies using LDAP Groups Vault vault	6	553	October 11, 2024
Unable to get user/group list when integrated with Okta Vault	5	1721	April 15, 2020
Templated Policies for K8s Vault k8s , vault	1	275	May 17, 2022
Dynamic LDAP Group Access Vault	4	1264	November 9, 2020

Use Okta groups in Vault template policy

Related topics