Vault-PKI policy problem

We recently set up a Vault instance to generate SSL certificates - which is working fine via the web API

For GUI access, we have also set up mapping from two LDAP groups (from AD) - one an ‘Admin’ group - where users get access to everything - which is working fine and one ‘Maintainer’ group where users can just create certificates - this is where I’m having problems, I can’t seem to find a policy set up that limits access to just this task …

We have two paths for issuing certs: pki/ica1and pki/ica2 and the policy for the web API that works OK is:

path "pki/+/issue/*" {
  capabilities = ["create", "read", "update"]
}
path "pki/+/role/*" {
  capabilities = ["read"]
}
path "pki/+/roles" {
  capabilities = ["read"]
}

However, if I use the same policy for the Maintainer group, when these users click on either the pki/ica1and pki/ica2 Secrets link, they get a ‘Not Authorized’ error

If I add something like:

path "pki/ica*" {
  capabilities = ["read", "list"]
}

Users can get further, and start creating a certificate, but get ‘permission denied’ when clicking on ‘Generate’ … but I can’t seem to find a combination to do what I need

Does anyone know how I can set a suitable policy to allow these users to just be able to create certificates via the GUI?

In cases like this I normally inspect the audit logs to see what specific path the 403 is being generated on then add that to my policy and just step through the whole process until I get a working result.

There may be several UI specific paths that aren’t obvious according to the API documentation. Inspecting the audit logs helps out tremendously with this.

Thanks - that helped to fix it

Looks like I needed in the ‘maintainer’ policy:

path "pki/+/roles/" {
  capabilities = ["read", "list"]
}