Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditional policies #29287

Open
AyoubElbardi opened this issue Jan 6, 2025 · 1 comment
Open

Conditional policies #29287

AyoubElbardi opened this issue Jan 6, 2025 · 1 comment

Comments

@AyoubElbardi
Copy link

AyoubElbardi commented Jan 6, 2025
edited
Loading

Currently, Vault's KV v2 secrets engine does not natively support dynamic access control based on secret metadata. While it is possible to organize secrets by paths and create policies for each path, this approach becomes cumbersome and inefficient when dealing with a large number of secrets or when secrets need to be shared across multiple teams or contexts.

For example:
Secrets are stored in a single path (e.g., secret/data/shared/*).
Each secret has metadata (e.g., team=engineering, environment=production).

We want to grant access to secrets based on their metadata (e.g., only instances with team=engineering can access secrets tagged with team=engineering).

Currently, this requires workarounds that could be so difficult to achieve:
Path-based organization: Duplicating secrets across multiple paths, which is not scalable.

so is there any vault feature that i may not know and could help me to have contitional policy based on metadata or another parameter that can be used as a tag of the secrets and instead of add all the secrets paths in the policie i only add the metadata name as condition

For exemple :

secrets:
secret/data/shared/secret1
metadata= team=1
secret/data/shared/secret2
metadata= team=1
secret/data/shared/secret3
metadata= team=2

policy
resource "vault_policy" "user-1" {
name = "user-1"

policy = <<EOT
path "secrets/data/shared/*" {
capabilities = ["read"]
condition = {
expr = "metadata.team == '1'"
}
}
EOT
}

i already see this: https://developer.hashicorp.com/vault/docs/concepts/policies#required_parameters but unfortunatly it is not compatible with kv v2
@VioletHynes
Copy link
Contributor

This should be possible with RGPs: https://developer.hashicorp.com/vault/docs/enterprise/sentinel#role-governing-policies-rgps

However, I'd also suggest that it would be beneficial not to have all of your secrets on a single path. Since policies are primarily path based, the best way to control access is to split paths into logical groupings. For example, maybe you could have the following setup:

secret/data/shared/dev/secret1
secret/data/shared/qa/secret1
secret/data/shared/production/secret1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VioletHynes @AyoubElbardi