Hi!
We have our Vault designed in such a way that each team has their own secret engines and can authenticate with multiple auth methods, one of them using kubernetes serviceaccounts.
We also have a way of enabling teams to give permissions to other teams to a path within their secret engines, so that it’s possible for them to share a secret if they want to, without having to create a PR into our infrastructure terraform repository.
An issue arises however, if the guest teams wants to both read secrets from their path with a predefined role that they have, as well as as read secrets to which they were given access to by a different team using a different role.
Is it possible to configure this somehow using annotations or the configmap within kubernetes, or is only one role possible? Alternatively, can this be worked around?
Thanks for any inputs!
P.S. We are using the OSS version of Vault