I am new to vault, and trying to secure data according to the k8s namespace a pod is in. I have the authentication part sorted, but I can't make an ACL that lets a client read secrets without giving away all secrets
The structure i am using is secret/k8s/<k8s-namespace>/<appname>
e.g. secret/k8s/bex/app1
I have tried an ACL policy like this, but without secret/*
I am denied access, and with secret/*
clients can see everything, event paths adjacent to bex
.
What am I doing wrong?
# Without this, I cannot access anything
#path "secret/*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1/*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1*" { capabilities = [ "read", "list" ]}
TL;DR:
This is because when you are granting access to secrets you need to use the data
path after the secret backend. In your case: secret/data/k8s/bex/app1
Long version:
If you are using the older (deprecated) KV1 version then your policy looks like this:
path "secret/dev/team-1/*" {
capabilities = ["create", "update", "read"]
}
If (I assume) you are using the new KV2 secret engine (default), then the reading versions are prefixed with the data/
path.
path "secret/data/dev/team-1/*" {
capabilities = ["create", "update", "read"]
}
More in the Official Docs.