How to use the group-policy-application endpoint in Vault 1.13 Enterprise

Avatar
Max Winslow
  • Updated

Introduction

Prerequisites

  • Vault server running on version 1.13.0 Enterprise or above
  • Token with a policy that allows the creation of namespaces, policies, entities, entity-aliases and the configuring of auth methods and system group-policy-application.

Overview

In Vault 1.13 an enterprise feature titled "Share Secrets in Independent Namespaces (enterprise)" was released. This feature builds on top of the existing functionality that allows identity groups to reference entities in other namespaces. Previously, while it was possible for an entity from any other namespace to be referenced in an identity group, only entities within the namespace hierarchy of the identity group's namespace could utilize policies from the namespace (external_namespace_policies). With the introduction of this new feature, it is possible to configure Vault so that entities from any namespace (irrespective of namespace hierarchy) can utilize these policies.

In addition to the excellent resources provided below in the "Additional Information" section. This article provides a brief overview of how this feature works.

Procedures

1. Create 3 namespaces, two with a parent/child relationship and one outside the parent/child hierarchy.

vault namespace create parent
vault namespace create -namespace=parent child
vault namespace create not-parent

2. Enable the Userpass auth method and create a user in both the parent and non-parent namespaces.

vault auth enable -namespace=parent userpass
PARENT_MOUNT_ACCESSOR=$(vault auth list -namespace=parent -format=json | jq -r '."userpass/".accessor')
vault write -namespace=parent auth/userpass/users/max password=1234

vault auth enable -namespace=not-parent userpass
NON_PARENT_MOUNT_ACCESSOR=$(vault auth list -namespace=not-parent -format=json | jq -r '."userpass/".accessor')
vault write -namespace=not-parent auth/userpass/users/max password=1234

3. Create entities and entity-aliases (using Userpass) for parent and non-parent namespaces.

PARENT_ENTITY_ID=$(vault write -namespace=parent identity/entity name="max" -format=json | jq -r '.data.id')
vault write -namespace=parent identity/entity-alias name=max \
    mount_accessor=$PARENT_MOUNT_ACCESSOR \
    canonical_id=$PARENT_ENTITY_ID

NON_PARENT_ENTITY_ID=$(vault write -namespace=not-parent identity/entity name="max" -format=json | jq -r '.data.id')
vault write -namespace=not-parent identity/entity-alias name=max \
    mount_accessor=$NON_PARENT_MOUNT_ACCESSOR \
    canonical_id=$NON_PARENT_ENTITY_ID

4. In child namespace, create an admin policy.

vault policy write -namespace=parent/child child-admin - <<EOF
path "*" {
   capabilities = [ "create", "read", "update", "delete", "list", "sudo" ]
}
EOF

5. In child namespace, add parent and non-parententities to internal identity group.

vault write -namespace=parent/child identity/group name="child admins" \
    policies=child-admin \
    member_entity_ids=$PARENT_ENTITY_ID \
    member_entity_ids=$NON_PARENT_ENTITY_ID

6. Login with token from parent namespace. The token will have external_namespace_policies with child-admin policy and vault auth list succeeds.

vault login -method=userpass -namespace=parent username=max password=1234 && \
vault token lookup && vault auth list -namespace=parent/child

7. Login with token from parent namespace. Token will NOT have external_namespace_policies with child-adminpolicy and vault auth list will NOT succeed.

vault login -method=userpass -namespace=not-parent username=max password=1234 && \
vault token lookup && vault auth list -namespace=parent/child
...
...
...
Error listing enabled authentications: Error making API request.

Namespace: parent/child/
URL: GET http://127.0.0.1:8200/v1/sys/auth
Code: 403. Errors:

* 1 error occurred:
	* permission denied

8. Log back in with root (or admin) token.

vault login $ROOT_OR_ADMIN_TOKEN

9. Read current group_policy_application_mode value. Defaults to within_namespace_hierarchy.

vault read /sys/config/group-policy-application

10. Update the mode to any.

vault write /sys/config/group-policy-application group_policy_application_mode=any

11. Re-attempt login with non parent token to perform operations in another namespace (not a direct descendant). Login is successful.

vault login -method=userpass -namespace=not-parent username=max password=1234 && \
vault token lookup && vault auth list -namespace=parent/child

 

Additional Information: 

Articles in this section

See more

Related articles