Introduction:
On particular occasions, a Vault administrator needs to create identical policies for all child namespaces at the root level i.e policies that reside in the root
namespace but affect the child namespaces.
Expected Outcome:
By following this how-to article, you will have the ability to apply identical Vault policies to all child namespaces at the root level.
Those policies might be assigned to users that log in to the
root
namespace.Prerequisites:
- This how-to article is valid only for the Enterprise version of Vault.
- Bash version 5.1
- JQ tool
Use Case:
You have three namespaces within Vault and you would like to apply the identical policy to all of them at the root level.
The namespaces are named
ns1
, ns2
and ns3
. The created policies will follow the naming convention - my-policy-NAME-OF-NAMESPACE
.The policy document can be adjusted depending on your needs, in this how-to article all the users that are assigned the generated policies are allowed to perform any actions within
ns1
, ns2
and ns3
namespaces except creating and modifying entries of the KV-v2 secrets engine mounted at the path secret/
. Procedure:
- Step 1 - Create testing namespaces named
ns1
,ns2
andns3
:
# Creating the namespaces
$ vault namespace create ns1
$ vault namespace create ns2
$ vault namespace create ns3
- Step 2 - Execute the following Bash script
#!/bin/bash
# Export Vault communication variables
export VAULT_TOKEN=root
export VAULT_ADDR=http://127.0.0.1:8200
# Fetching all of the child namespace and applying policy at root level regarding them
for ns in $(vault namespace list -format=json | jq -r '.[]'); do
vault policy write my-policy-$ns - << EOF
path "${ns//\/}/" {
capabilities = [ "read", "create", "update", "delete", "sudo", "list" ]
}
path "${ns//\/}/secret/data/*" {
capabilities = ["deny"]
}
path "${ns//\/}/secret/metadata"
{
capabilities = [ "deny"]
}
EOF
done
- Step 3 - Verify that the policies for the child namespaces are created and are correctly formatted by doing
vault policy read my-policy-ns1/
:
$ vault policy read my-policy-ns1/
path "ns1/" {
capabilities = [ "read", "create", "update", "delete", "sudo", "list" ]
}
path "ns1/secret/data/*" {
capabilities = ["deny"]
}
path "ns1/secret/metadata"
{
capabilities = [ "deny"]
}
Additional Information and resources: