Access Denied on vault secrets

Question

I am new to vault, and trying to secure data according to the k8s namespace a pod is in. I have the authentication part sorted, but I can't make an ACL that lets a client read secrets without giving away all secrets

The structure i am using is secret/k8s/<k8s-namespace>/<appname>

e.g. secret/k8s/bex/app1

I have tried an ACL policy like this, but without secret/* I am denied access, and with secret/* clients can see everything, event paths adjacent to bex.

What am I doing wrong?

# Without this, I cannot access anything
#path "secret/*" { capabilities = [ "read", "list" ]}

path "secret/k8s/bex*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1/*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1*" { capabilities = [ "read", "list" ]}

Are you referring to the vault by HarshiCorp https://www.vaultproject.io/docs/platform/k8s? — lkamal, Oct 28 '20 at 15:37
This is a Hashicorp Vault issue yes, but I'm not using that helm chart — Jon Bates, Oct 28 '20 at 22:12

score 1 · Accepted Answer · answered Nov 16 '20 at 11:47

TL;DR:

This is because when you are granting access to secrets you need to use the data path after the secret backend. In your case: secret/data/k8s/bex/app1

Long version:

If you are using the older (deprecated) KV1 version then your policy looks like this:

path "secret/dev/team-1/*" {
  capabilities = ["create", "update", "read"]
}

If (I assume) you are using the new KV2 secret engine (default), then the reading versions are prefixed with the data/ path.

path "secret/data/dev/team-1/*" {
  capabilities = ["create", "update", "read"]
}

Access Denied on vault secrets

1 Answers1