Search code examples
kubernetesvault

Access Denied on vault secrets

I am new to vault, and trying to secure data according to the k8s namespace a pod is in. I have the authentication part sorted, but I can't make an ACL that lets a client read secrets without giving away all secrets

The structure i am using is secret/k8s/<k8s-namespace>/<appname>

e.g. secret/k8s/bex/app1

enter image description here

I have tried an ACL policy like this, but without secret/* I am denied access, and with secret/* clients can see everything, event paths adjacent to bex.

What am I doing wrong?

# Without this, I cannot access anything
#path "secret/*" { capabilities = [ "read", "list" ]}

path "secret/k8s/bex*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1/*" { capabilities = [ "read", "list" ]}
path "secret/k8s/bex/app1*" { capabilities = [ "read", "list" ]}
Solution

  • TL;DR:

    This is because when you are granting access to secrets you need to use the data path after the secret backend. In your case: secret/data/k8s/bex/app1

    Long version:

    If you are using the older (deprecated) KV1 version then your policy looks like this:

    path "secret/dev/team-1/*" {
  capabilities = ["create", "update", "read"]
}

    If (I assume) you are using the new KV2 secret engine (default), then the reading versions are prefixed with the data/ path.

    path "secret/data/dev/team-1/*" {
  capabilities = ["create", "update", "read"]
}

    More in the Official Docs.