Each user has their own passwords

[Rodrigo Porto]

Hi, everyone

I started working with this great tool two weeks ago. I would like to use it in order to help my co-workers. However, I think it would be useful if each user had their own passwords, so it is possible? 

I have seen in the documentation that thanks to Cubbyhole can be achieved. I have done a test to try to verify this, however, it seems that the passwords created are not stored. For example.

I authenticate with the user:

vault login -method=userpass username=user password=test

I store the password:

vault write cubbyhole/my-secret my-value=s3cr3t

Verify:

# vault read cubbyhole/my-secret
Key Value
--- -----
my-value s3cr3t

However, if I log out and log in again, the password is gone. Moreover, on Vault UI, it doesn't let me create or view them.

What should I do?

Thank you very much in advance,

Regards :)

[aru...@pixar.com]

You could technically do this with the normal key-value store (v1 or v2) and a per-user policy (until we get some sort of templating system for policies). Of course a root token can see all the secrets regardless of policy. For this reason I would suggest a personal password manager (ie. 1Password) rather than storing user secrets in Vault.

Regarding the cubbyhole behavior, from the docs:

The cubbyhole secrets engine is used to store arbitrary secrets within the configured physical storage for Vault namespaced to a token. In cubbyhole, paths are scoped per token. No token can access another token's cubbyhole. When the token expires, its cubbyhole is destroyed.

For more info: https://www.vaultproject.io/docs/secrets/cubbyhole/index.html

Aaron

[Rodrigo Porto]

Hi, Aaron

Thank you for your answer.

Regards