Vault Namespace - shutdown / disable access

ps3460 · August 24, 2022, 4:52pm

I’ve been asked to look into a shutdown option, where a namespace is compromised as an option, (vs whole vault sealing)
I can’t work out how to either disable a whole namespace or to implement a deny-all from either within the namespace or within the root account.
I thought it would be as simple as (from root level)

path “namespace1/*” {
capabilities = [“deny”]
}

But this didn’t work. Has anyone got any pointers or have actually got this to work for themselves?

Thank you

Phil

maxb · August 24, 2022, 7:12pm

You can’t do this with ACL policies, because most specific policy wins - so an allow policy for namespace1/foo/bar/baz overrides a deny policy for namespace1/*.

However, have you seen Namespace API Lock | Vault by HashiCorp ?

ps3460 · August 25, 2022, 7:27am

You might just be the next superhero!
Thank you Maxb

Topic		Replies	Views
Policy with * - user level Vault	2	183	July 27, 2022
HashiCorp Vault - Deny login access to Root namespace for non-Admin users Vault	11	1012	July 2, 2022
Sys/internal/ui/mounts deny question Vault acl , vault	3	33	November 12, 2024
Granting access in root namespce Vault vault	0	307	December 9, 2020
Accessing secrets across multiple vault namespaces Nomad	0	259	March 12, 2021

Vault Namespace - shutdown / disable access

Related topics