Dynamic Policy per User creation

97 views

Skip to first unread message

Salvador Salazar

unread,

Sep 18, 2018, 12:50:05 AM9/18/18

to Vault

Hi Vault team and community,

I've been reading Vaults' documentation and guides, and haven't been able to find a good answer to my question.

I'm planning in using Vault to store secrets/confidential information for several clients. However, I would like for clients to sign-up and have their "vault" dynamically created. What does this mean? I would need each client to have their own "secrets/UUID/<PATH>", and have a policy dynamically created that allows them to authenticate and access ONLY the secrets along their path. Is this possible?

Also, now that I have someone's attention, there's no way to encrypt each client's secrets with different keys, correct?

Thanks for the help! :)

Carlos Vitor Barros

unread,

Sep 18, 2018, 1:45:40 AM9/18/18

to vault...@googlegroups.com

Hello Salvador,

One straightforward answer to that would be Vault Namespaces, a Vault Enterprise feature released with Vault v0.11.0. With namespaces, you provide Vault as a platform for a multi-tenancy scenario, where each of your tenants has it's "private Vault", but running on the same infrastructure.

You can check the documentation about that feature:

https://www.vaultproject.io/docs/enterprise/namespaces/index.html

However, if you use only Vault OSS, you have to use Policy ACL Templating + a bootstrap process (via API or code configuration) to first mount the paths for your clients. Then you can restrict each client's access with policies tailored to do so. ACL Templating does help a lot in that case.

https://www.vaultproject.io/docs/concepts/policies.html#templated-policies

Regards,

Carlos

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/6a1e8380-39c3-492a-b4a8-9bea8eb47d94%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages