Vault policy priorities

redzioch · April 12, 2023, 6:31am

I am trying to figure workaround for Vault policy priorities.

I am creating different groups and policies per system, i.e.:

Policy somesystem-admin:

# View policies
path "sys/policies/acl/somesystem.*"
{
  capabilities = ["read"]
}
path "auth/ldap/groups/somesystem.*"
{
  capabilities = ["read"]
}
# Manage secrets in somesystem
path "kv/data/somesystem/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "kv/metadata/somesystem/*"
{
  capabilities = ["read", "list"]
}

And I want to have similar policy for Vault admins, too - with access to all policies and secrets etc. - policy vault-admin:

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

But according to Vault policy priorities, if user is in both groups (somesystem-admin and vault-admin), policy from somesystem-admin have higher priority as they are more specific.

Do you have any workaround for this? I am trying to avoid using root policy even for Vault admins. And I don’t want to include all systems in vault-admin to make it more specific.

maxb · April 12, 2023, 7:39am

The only viable option is to ensure Vault admins are not also in the groups that grant the limited admin policies, or to individually list all the limited paths in the full admins policy, re-overriding the access to full.

It is an unfortunate implementation

redzioch · April 12, 2023, 7:47am

I will create issue then…

Thanks.