I am planning to create individual role and policy for each user on ssh engine
so the user can create token for only his/her username
$ cat ismail.hcl
path "ssh/creds/ismail_otp_key_role" {
capabilities = ["create", "read", "update"]
}
$ vault policy write ismailssh ./ismail.hcl
$ vault write auth/userpass/users/ismail password="test" policies="ismailssh"
when I visit web ui http://127.0.0.1:8200/ui/vault/secrets/ssh/list
I got
Not Authorized
You don't have access to ssh/. If you think you've reached this page in error, please contact your administrator.
Go back home .
I can sort this by adding
path "ssh/roles/*" {
capabilities = [ "list" ]
}
In this case the user can see all roles. Yes he can read/manage but list all.
Is there any option in the policy to list only user’s role(s)?