Vault Control Group Authorisations Failing across Namespaces – HashiCorp Help Center

Introduction

Control Groups add additional authorisation elements to Vault ACL policies so that additional authorisation requirements need to be met before satisfying a request.

When Control Groups have been specified in an ACL policy, and are required for a request, a limited duration response wrapping token is returned to the user making the request instead of the requested data. The accessor of the response wrapping token must be provided to the authorisers, as specified in the Control Group policy. Once all authorisations are satisfied, the wrapping token can be used to unwrap and process the original request.

Problem

When making use of Control Groups in a Vault environment configured with Namespaces, the authorisation process may fail. If the authorisation process is done using the CLI, the approved key value remains as false.

$ vault write sys/control-group/request accessor=$WRAPPING_ACCESSOR
Key Value
--- -----
approved false
authorizations <nil>
request_entity map[id:eb8e6112-94f9-xxxx-xxxx-xxxxx name:entity_4axxxxx]
request_path kv/foo

If the authorisation process is done using the GUI, it is falsely reported that the authorisation was successful when indeed it was not.

Prerequisites

Vault Enterprise Plus License
Vault Enterprise 1.8.0+ent or newer

Cause

An example of a typical ACL Policy that has Control Groups defined:

path "namespace/kv/*" {
  capabilities = ["read"]
  control_group = {
    factor "admin-controlled" {
       identity {
           group_names = ["admin-group"]
           approvals = 1
    }   
   }
  }
}

With the above Control Group ACL policy the authorisation process will fail as described in the Problem section. The underlying cause for this is due to the fact that Group Names are not unique across Namespaces.

Overview of possible solutions

Solution:

Identify the id of the group you wish to use as a Control Group in an ACL Policy.

$ vault read identity/group/name/admin-group
Key Value
--- -----
alias map[]
creation_time 2023-06-05T10:33:49.237617084Z
id 3baffe5b-6136-1d67-6ab2-d9b7b93axxxx
last_update_time 2023-06-05T10:39:34.039805117Z
member_entity_ids [09f793b6-1b8b-b1b0-51af-9140cxxxx]
member_group_ids <nil>
metadata <nil>
modify_index 12
name admin-group
namespace_id root
parent_group_ids <nil>
policies [approver]
type internal

Edit the ACL Policy and instead of using group_names , use group_ids

path "namespace/kv/*" {
  capabilities = ["read"]
  control_group = {
    factor "admin-controlled" {
      identity {
        group_ids = ["3baffe5b-6136-1d67-6ab2-d9b7b93axxxx"]
        approvals = 1
    } 
   }
  }
}

Outcome

The authorization process will now complete successfully.

Additional Information

Vault Tutorial: Control Groups
Vault Documentation: Vault Enterprise Control Groups
Vault Documentation: Policies
Vault API: Control Groups API