I am using vault 1.14.1.
Secrets management is being provisioned for users using the userpass
method. When a user is created by an admin, the password is also set.
I would like the users to then be able to change their own password, and no other setting for their own account (ie not able to assign policies).
I have created a policy with this configuration:
path “auth/userpass/users/{{identity.entity.aliases.auth_userpass_AccessorID.name}}” {
capabilities = [ “update” ]
allowed_parameters = {
“password” =
}
}
The AccessorID
in the policy has been correctly set to the actual ID.
The default policy is also assigned to the user (to allow own token management.
Using the Vault UI, when logged in as a test user, Authentication Methods are not even listed, so I’m unable to change the password.
I suspect additional permissions are needed & have tested some (list, read sys/auth) but cannot get the policy to correctly allow a user to change their own password.