Vault ACL policy to restrict auth method mounting.

Avatar
Kunal Mehtani
  • Updated

Introduction

Restricting set of users/groups to enable specific mounts on specific paths.

 

Anticipated Results

The implemented ACL policy will restrict users/groups within root namespaces from enabling particular mount types.

 

Prerequisites

To perform the steps in this article, you'll need:

  • Vault Enterprise version 0.9 or higher.
  • Token with sufficient permissions to create ACL policies.

Steps

  •  Write an ACL policy file (restrict.hcl) such as below which will only allow the enablement of Kubernetes and approle auth method at specific path i.e., "k8s"/:-
# Create, update, and delete auth methods
path "sys/auth/k8s/*"
{
  capabilities = ["create", "update", "delete","sudo"]
   allowed_parameters = {
      "type" = ["kubernetes","approle"]
       "*"   = []
                        }
}

path "auth/k8s/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}
  •  Assign the policy to restrict the user name Kunal created under the userpass auth method to take effect:-
root@vault-vm1:~# vault policy write restrict restrict.hcl

root@vault-vm1:~# vault write auth/userpass/users/kunal policies=restrict
 Success! Data written to: auth/userpass/users/kunal
  •  Test the policy to enable the mount on different paths with different auth methods. (Sample results with permission denied error as below):-
root@vault-vm1:~# vault auth enable -path=test1 kubernetes
Error enabling kubernetes auth: Error making API request
URL: POST http://192.168.64.5:8200/v1/sys/auth/test1
Code: 403. Errors:
* 1 error occurred:
 * permission denied


root@vault-vm1:~# vault auth enable kubernetes
Error enabling kubernetes auth: Error making API request.
URL: POST http://192.168.64.5:8200/v1/sys/auth/kubernetes
Code: 403. Errors:
* 1 error occurred:
 * permission denied


root@vault-vm1:~# vault auth enable aws
Error enabling aws auth: Error making API request.
URL: POST http://192.168.64.5:8200/v1/sys/auth/aws
Code: 403. Errors
* 1 error occurred:
 * permission denied
  •  Test the policy to enable the mount on specific paths mentioned in the restrict policy. (Sample results with auth method enabled):-
root@vault-vm1:~# vault auth enable -path=k8s/kube1 kubernetes
Success! Enabled kubernetes auth method at: k8s/kube1/

root@vault-vm1:~# vault auth enable -path=k8s/approle1 approle
Success! Enabled approle auth method at: k8s/approle1/

 

The output of command `vault auth list`:-

root@vault-vm1:~# vault auth list
Path            Type       Accessor                 Description Version
----            ----       --------                 ----------- -------
k8s/approle1/   approle    auth_approle_7ae09d15    n/a         n/a
k8s/kube1/      kubernetes auth_kubernetes_30afe4a4 n/a         n/a
userpass/       userpass   auth_userpass_995dc7f1   n/a         n/a

 

Reference

Policy

 

 

 

Articles in this section

Related articles