OpenBao
How to allow access to all KV v2 secret mounts in a namespace with one policy? #1825
Replies: 1 comment
-
Can you expand on how this fails? I think your only option with the existing KVv2 logic would be to do a path like: path "my-namespace/kvv2-+/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}(where path "my-namespace/+/kvv2-+/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "my-namespace/+/+/kvv2-+/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "my-namespace/+/+/+/kvv2-+/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}though at some point, you risk a mismatch as the latter would match a KVv1 mount at the path:
for instance. At any rate, CEL for ACL policies (as mentioned in https://github.com/orgs/openbao/discussions/783 by @suprjinx) would likely be the solution for this exact use case. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi everyone,
I’d like to define a policy in the root namespace that grants read/write access to all KV v2 secret mounts inside a specific namespace (let’s call it my-namespace).
For a single mount (e.g. my-namespace/kv2-mount/), I can write:
That works fine.
What I’d like, though, is a generic rule that matches any KV v2 mount inside my-namespace. I tried something like:
…but this doesn’t work.
My questions are:
Is it possible to write a single policy that covers all KV v2 mounts in a namespace?
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions