Reputation: 4524
Given a path in Vault how do I find who can access it?
Given a policy, I can see what paths it provides access to.
However, I would like to know the opposite: given, a path I want to known which policies define access to it and which users/identities/group have these policies assigned to them?
In short, given a path who can do what with that.
How can I find that with vault command-line client or UI?
Upvotes: 1
Views: 1606
Answers (1)
Reputation: 22481
The better way is to use the HTTP API like in the following example:
REST_URL="https://VAULT-SERVER/v1"
VAULT_TOKEN="VAULT_TOKEN"
VAULT_PATH="identity"
for p in $(curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request LIST $REST_URL/sys/policies/acl | jq --raw-output .data.keys[])
do
echo ""
echo "$p"
echo ""
curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request GET $REST_URL/sys/policies/acl/$p | jq .data.policy | grep --color $VAULT_PATH
done
Result:
admin
"... # Manage identities\npath "identity/*" {\n capabilities = ["create", "read", "update", "delete", "list", "sudo"]\n}\n\n ..."
default
"... # Allow a token to look up its own entity by id or name\npath "identity/entity/id/{{identity.entity.id}}" {\n capabilities = ["read"]\n}\npath "identity/entity/name/{{identity.entity.name}}" {\n capabilities = ["read"]\n}\n\n\n ..."
root
Upvotes: 2
Related Questions
- How to identify what paths can be accessed with what capabilities in hashicorp vault for a given token?
- Hashicorp vault how to list all roles
- Vault secrets list permission denied
- Reading secrets from Vault CLI
- Vault: Get key value secrets
- Spring Config Server : get secrets from vault with specific path
- Vault - How to list folders from a specific path on a kv v2 secret engine using HVAC?
- ansible read username and password from vault
- Vault: how to get list of kv secrets
- Vault: Get current backends