We recently set up a Vault instance to generate SSL certificates - which is working fine via the web API
For GUI access, we have also set up mapping from two LDAP groups (from AD) - one an ‘Admin’ group - where users get access to everything - which is working fine and one ‘Maintainer’ group where users can just create certificates - this is where I’m having problems, I can’t seem to find a policy set up that limits access to just this task …
We have two paths for issuing certs: pki/ica1and pki/ica2 and the policy for the web API that works OK is:
path "pki/+/issue/*" {
capabilities = ["create", "read", "update"]
}
path "pki/+/role/*" {
capabilities = ["read"]
}
path "pki/+/roles" {
capabilities = ["read"]
}
However, if I use the same policy for the Maintainer group, when these users click on either the pki/ica1and pki/ica2 Secrets link, they get a ‘Not Authorized’ error
If I add something like:
path "pki/ica*" {
capabilities = ["read", "list"]
}
Users can get further, and start creating a certificate, but get ‘permission denied’ when clicking on ‘Generate’ … but I can’t seem to find a combination to do what I need
Does anyone know how I can set a suitable policy to allow these users to just be able to create certificates via the GUI?