Introduction
When organizations move to using namespaces they often have a requirement administrators should have access to manage all the namespaces and not view or authenticate secrets. Everything in Vault is path-based, and in the case of namespaces the terms `path` and `namespace` can be used interchangeably. Meaning that a child namespace is a path within the parent namespace. This allows users with the appropriate permissions in the parent namespace to be able to manage their children.
Procedure
Here is a suggested pattern to allow a user to see the sys path to a depth of 3 namespaces would be to create and assign a policy:
path "sys/*"{
capabilities = ["read", "list", "create", "update", "delete", "sudo"]
}
path "+/sys/*"{
capabilities = ["read", "list", "create", "update", "delete", "sudo"]
}
path "+/+/sys/*"{
capabilities = ["read", "list", "create", "update", "delete", "sudo"]
}
path "+/+/+/sys/*"{
capabilities = ["read", "list", "create", "update", "delete", "sudo"]
}
This can allow access to the sys path up to 3 namespaces deep i.e.
~$ vault list child/child2/child3/sys/namespaces
Keys
----
child4/
But doesn't allow access to other paths
~$ vault kv get -namespace=child kv/childsecret
Error reading kv/data/childsecret: Error making API request.
URL: GET https://localhost:8200/v1/kv/data/childsecret
Code: 403. Errors:
* 1 error occurred:
* permission denied