Introduction
There are two external groups defined for the OIDC Authentication Method:
- Group_A
- Group_B
The requirement is to restrict the access for the members of these two groups to see each others KV secrets.
Expected Outcome
Both groups have members defined that shouldn't see each others secrets:
- Member_A of Group_A should only see his KV secrets
- Member_B of Group_B should only see his KV secrets
Use Case
NOTE ! The used policies are just for testing purposes, please modify them accordingly for your specific use-case
Procedure
- Setup Policy_A and Policy_B to have access to different paths of the KV secrets
- Enable the KV secret engine to 2 different paths, each for a different group
- Put some secrets in both KV secrets paths defined at
Step 2 - Enable the OIDC authentication method
- Configure the external groups
- Configure the internal groups which will have the external groups as members
- Create the user entities
- Login with the user using OIDC authentication method
- Check the secrets
-
Create the policies
Policy a (Check the last part
Manage secrets at group_a- this is what you will need)
tee policy_a.hcl <<EOF # Manage namespaces path "sys/namespaces/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Manage policies path "sys/policies/acl/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # List policies path "sys/policies/acl" { capabilities = ["list"] } # Enable and manage secrets engines path "sys/mounts/*" { capabilities = ["create", "read", "update", "delete", "list"] } # List available secrets engines path "sys/mounts" { capabilities = [ "read" ] } # Create and manage entities and groups path "identity/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Manage tokens path "auth/token/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Manage secrets at 'group_a' path "group-a/*" { capabilities = ["create", "read", "update", "delete", "list"] } EOF vault policy write policy_a policy_a.hclPolicy b (Check the last part
Manage secrets at group_b- this is what you will need)tee policy_b.hcl <<EOF # Manage namespaces path "sys/namespaces/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Manage policies path "sys/policies/acl/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # List policies path "sys/policies/acl" { capabilities = ["list"] } # Enable and manage secrets engines path "sys/mounts/*" { capabilities = ["create", "read", "update", "delete", "list"] } # List available secrets engines path "sys/mounts" { capabilities = [ "read" ] } # Create and manage entities and groups path "identity/*" { capabilities = ["create", "read", "update", "delete", "list"] } # Manage tokens path "auth/token/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } # Manage secrets at 'group_b' path "group-b/*" { capabilities = ["create", "read", "update", "delete", "list"] } EOF vault policy write policy_b policy_b.hcl- Enable the KV secrets engine at 2 different paths
group-a/my-secretandgroup-b/my-secret:
vault secrets enable -path=group-a -version=2 kv vault secrets enable -path=group-b -version=2 kv- Create the KV secrets in each different path
group-aandgroup-b:
vault kv put group-a/my-secret my-value=secret vault kv put group-b/my-secret my-value=secret- Enable the authentication method in Vault:
vault auth enable <your-auth-method> vault auth list -format=json | jq -r '.["<your-auth-method>/"].accessor' > accessor.txt- Create the External Groups:
vault write -format=json identity/group name="group_a" \ type="external" \ policies="policy_a" | jq -r ".data.id" > group_ida.txt vault write -format=json identity/group name="group_b" \ type="external" \ policies="policy_b" | jq -r ".data.id" > group_idb.txt- Create the group-alias with the same name as the groups from your authentication method (OIDC):
vault write -format=json identity/group-alias name="qa" \ mount_accessor=$(cat accessor.txt) \ canonical_id=$(cat group_ida.txt) vault write -format=json identity/group-alias name="dev" \ mount_accessor=$(cat accessor.txt) \ canonical_id=$(cat group_idb.txt)- Create the Internal groups with the External groups as members:
vault write identity/group \ name="InternalGroupA" \ policies="policy_a" \ member_group_ids=$(cat group_ida.txt) vault write identity/group \ name="InternalGroupB" \ policies="policy_b" \ member_group_ids=$(cat group_idb.txt)- Create the entity for the existing users from your OIDC authentication method:
vault write identity/entity name="joe" \ metadata=team="qa" \ organization="HashiCorp" vault write identity/entity name="alice" \ metadata=team="dev" \ organization="HashiCorp"- Login with the authentication method:
vault login -method=<your-auth-method> username=alice- Check if you can read the secrets from
group-a:
vault kv get group-a/my-secret Error making API request. URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/group-a/my-secret Code: 403. Errors: * preflight capability check returned 403, please ensure client's policies grant access to path "group-a/my-secret/"- Check if you can read the secrets from
group-b:
vault kv get group-b/my-secret ====== Metadata ====== Key Value --- ----- created_time 2021-07-05T10:10:51.335262161Z deletion_time n/a destroyed false version 1 ====== Data ====== Key Value --- ----- my-value secret -
Additional Information
-
Official guides for more information:
- Entity and Groups: https://learn.hashicorp.com/tutorials/vault/identity
- Leveraging Identity for auth method with external groups: with https://learn.hashicorp.com/tutorials/vault/namespaces#additional-discussion
- Enable a KV secrets engine: https://learn.hashicorp.com/tutorials/vault/getting-started-secrets-engines#enable-a-secrets-engine
- Writing and Reading KV secrets: https://www.vaultproject.io/docs/secrets/kv/kv-v2#writing-reading-arbitrary-data