Listing all Vault Auth Methods per Namespace & by type

Introduction

In a Vault cluster where namespaces are heavily used, listing all auth methods per namespace can be a time consuming task. This guide aims to provide a method of listing auth methods of a selected type per namespace by means of a shell script.

Prerequisites (if applicable)

• Vault Enterprise - All versions.
• jq 1.7 or later.
• Bash 5.1 or later.
• Vault token with a policy allowing read and list operations on all namespaces and auth methods.

Overview

The script interacts with Vault to list auth methods within namespaces and performs the following tasks:

1. Lists auth methods of a specific type in a given namespace derived from
   vault namespace list.
2. Flattens the namespace path to remove any duplicate or trailing slashes.
3. Recursively traverses namespaces up to a specified depth to list auth methods.

The script expects two command-line arguments:

1. depth : The depth to which the script should traverse namespaces. For example:
   • A depth of 3 is required if namespace exist as ns1/sub1/sub2
2. method_type : The type of auth method to list. For example:
   • approle, userpass, ldap, jwt, kubernetes etc.

Please note that this script only processes secrets engines mounted inside a namespace and will not return data for secrets engines mounted outside of a namespace (ie. root is not detailed).

Procedures

• Copy, save to file and make the following script executable on your Vault server:

#!/bin/bash
#list_auth_methods_per_ns.sh

function list_auth_methods() {
    local namespace=$1
    local method_type=$2
    local result=$(vault auth list -ns="$namespace" -format=json | jq -r --arg method_type "$method_type" '. | to_entries[] | select(.value.type == $method_type)')

    if [ -n "$result" ]; then
        echo "Auth Methods in Namespace: $namespace"
        echo "$result" | jq -c '.'
        echo
    fi
}

function flatten_namespace() {
    local namespace=$1
    echo "$namespace" | sed -E 's#/{2,}#/#g; s#/$##'
}

function traverse_namespaces() {
    local depth=$1
    local current_depth=$2
    local parent_namespace=$3
    local method_type=$4

    if [ "$current_depth" -gt "$depth" ]; then
        return
    fi

    local namespaces
    if [ -z "$parent_namespace" ]; then
        namespaces=$(vault namespace list -format=json | jq -r '.[]')
    else
        parent_namespace=$(flatten_namespace "$parent_namespace")
        namespaces=$(vault namespace list -ns="$parent_namespace" -format=json | jq -r '.[]')
    fi

    for namespace in $namespaces; do
        local full_namespace
        if [ -z "$parent_namespace" ]; then
            full_namespace="$namespace"
        else
            full_namespace="$parent_namespace/$namespace"
        fi
full_namespace=$(flatten_namespace "$full_namespace")
        list_auth_methods "$full_namespace" "$method_type"
        traverse_namespaces "$depth" "$((current_depth + 1))" "$full_namespace" "$method_type"
    done
}

if [ "$#" -eq 2 ]; then
    depth=$1
    method_type=$2
    traverse_namespaces "$depth" 1 "" "$method_type"
else
    echo "Usage: $0 <depth> <method_type>"
    exit 1
fi

• Execute the script as follows:

./list_auth_methods_per_ns.sh 3 userpass

• Example output:

Auth Methods in Namespace: ns-1
{"key":"userpass/","value":{"uuid":"ba064fe0-f41f-8879-e5d1-a6240bf364f8","type":"userpass","description":"","accessor":"auth_userpass_5207684a","config":{"default_lease_ttl":0,"max_lease_ttl":0,"force_no_cache":false,"listing_visibility":"hidden","token_type":"default-service"},"options":{},"local":false,"seal_wrap":false,"external_entropy_access":false,"plugin_version":"","running_plugin_version":"v1.18.3+builtin.vault","running_sha256":"","deprecation_status":"supported"}}

Auth Methods in Namespace: ns-1/nest-1
{"key":"userpass/","value":{"uuid":"5e8a5f29-e39c-35c0-5c6c-cef323a35f73","type":"userpass","description":"","accessor":"auth_userpass_01ccc2f8","config":{"default_lease_ttl":0,"max_lease_ttl":0,"force_no_cache":false,"listing_visibility":"hidden","token_type":"default-service"},"options":{},"local":false,"seal_wrap":false,"external_entropy_access":false,"plugin_version":"","running_plugin_version":"v1.18.3+builtin.vault","running_sha256":"","deprecation_status":"supported"}}

Auth Methods in Namespace: ns-1/nest-1/nest-2
{"key":"userpass/","value":{"uuid":"d1ebc797-0023-ba29-1bc7-96f746eac00f","type":"userpass","description":"","accessor":"auth_userpass_6ceea8ee","config":{"default_lease_ttl":0,"max_lease_ttl":0,"force_no_cache":false,"listing_visibility":"hidden","token_type":"default-service"},"options":{},"local":false,"seal_wrap":false,"external_entropy_access":false,"plugin_version":"","running_plugin_version":"v1.18.3+builtin.vault","running_sha256":"","deprecation_status":"supported"}}

Additional Information: 

• Vault Documentation:  Auth Methods
• Vault Documentation:  Vault Enterprise Namespaces
• Vault KB Article:  How to list Vault child Namespaces
• Vault KB Article:  How to list Vault Secrets Engines per Namespace