Introduction
Everything in Vault is path-based, and in the case of namespaces the terms `path` and `namespace` can be used interchangeably. What does this mean? It means that a child namespace is a path within the parent namespace. This allows users with the appropriate permissions in the parent namespace to be able to manage their children. Conversely when a Namespace is logged into directly, it's path's are only represented from the root path of the namespace path of the parent meaning it doesn't have any visibility of what is in the parent namespace.
Procedure
Referencing Policy with Namespaces, if you want to create policies in the root namespace to enable control of child namespaces prepend the name of the namespace in the paths.
For Example for a namespace called child:
# Manage policies in the 'child' namespace
path "child/sys/policies/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage tokens in the 'child' namespace
path "child/auth/token/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage key values under 'child' namespace
path "child/kv/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
...
This will result in, for users logged into the parent namespace, the execution of commands against the child namespace, in most cases, not requiring a -namespace flag i.e.
~$ vault kv get child/kv/childsecret
====== Metadata ======
Key Value
--- -----
created_time 2021-10-21T01:01:21.299517275Z
deletion_time n/a
destroyed false
version 1
===== Data =====
Key Value
--- -----
junior person
~$ vault kv get -namespace=child kv/childsecret
====== Metadata ======
Key Value
--- -----
created_time 2021-10-21T01:01:21.299517275Z
deletion_time n/a
destroyed false
version 1
===== Data =====
Key Value
--- -----
junior person