Introduction
In Vault, everything is path based and every operation performed is done through a path. For namespaces, the terms path and namespace can be used interchangeably. A child namespace is a path within its parent namespace. This structure allows users with necessary permissions in the parent namespace to manage any child namespaces. However, when a user logs directly into a child namespace, this user can only see paths starting from the root of that specific namespace and does not have visibility into the parent namespace.
Procedure
To create policies in the root namespace that control child namespaces, prepend the name of the namespace in the paths.
Here's an example for a namespace named child.
# Manage policies in the 'child' namespace
path "child/sys/policies/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage tokens in the 'child' namespace
path "child/auth/token/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage key values under the 'child' namespace
path "child/kv/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
Users logged into the parent namespace will be able to run commands against the child namespace without having to specify the -namespace flag, for example.
$ vault kv get child/kv/<secret>
=== Data ===
Key Value
--- -----
api 123
$ vault kv get -namespace=child kv/test
=== Data ===
Key Value
--- -----
api 123
See Policy with Namespaces for more information.