Approle and Policies

342 views
Skip to first unread message

Sougrakpam

unread,
Mar 27, 2017, 6:32:35 AM3/27/17
to Vault
Hi All,

I was trying out approve authentication with Vault and had a few doubts.

What is the expected behavior for mapping policies to approles?
A role is tied to a policy/policies. What policies are allowed to be attached to a role? A subset of the user's policies?

Cheers,
Gobin

Jeff Mitchell

unread,
Mar 27, 2017, 10:37:51 AM3/27/17
to Vault
Hi Gobin,

It's an authentication backend, so you can attach any policies (except root) to a role. They're the policies you want an application to have after using a role/secret to authenticate.

Best,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/79cbae12-1d77-4524-98ae-008aa37153a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Gobin

unread,
Mar 27, 2017, 6:09:00 PM3/27/17
to Vault
Thanks for the confirmation Jeff. There was a gap in my understanding. 

Just trying to summarise my understanding of approle:
  1. Any user who has access to create a role can map a role to existing policy which the user is not mapped to. And, by virtue of that role giving itself access to secrets tied to that existing policy. 
  2. In a vault instance shared by multiple teams, this would mean that not everyone should be given access to create roles. And, role creation would behave in a similar way to policy creation(until delegation feature comes), which is done by only subset of users(admins).
  3. We can mount multiple approle backends. Is this by design? Shouldn't it be limited to only a single one just like the token backend.
Regards,
Gobin

On Tuesday, March 28, 2017 at 1:37:51 AM UTC+11, Jeff Mitchell wrote:
Hi Gobin,

It's an authentication backend, so you can attach any policies (except root) to a role. They're the policies you want an application to have after using a role/secret to authenticate.

Best,
Jeff
On Mon, Mar 27, 2017 at 3:32 AM, Sougrakpam <gobinso...@gmail.com> wrote:
Hi All,

I was trying out approve authentication with Vault and had a few doubts.

What is the expected behavior for mapping policies to approles?
A role is tied to a policy/policies. What policies are allowed to be attached to a role? A subset of the user's policies?

Cheers,
Gobin

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

Jeff Mitchell

unread,
Mar 28, 2017, 10:53:14 AM3/28/17
to Vault
Hi Gobin,
  1. Any user who has access to create a role can map a role to existing policy which the user is not mapped to. And, by virtue of that role giving itself access to secrets tied to that existing policy. 
Correct. 
  1. In a vault instance shared by multiple teams, this would mean that not everyone should be given access to create roles. And, role creation would behave in a similar way to policy creation(until delegation feature comes), which is done by only subset of users(admins).
Also correct; however, in 0.7, you can use the allowed_parameters/denied_parameters feature to allow users to create roles but either not allow them to set the list of policies or only allow them to set a specific list.
  1. We can mount multiple approle backends. Is this by design? Shouldn't it be limited to only a single one just like the token backend.
Token is special (as is sys and cubbyhole); all other backends can be mounted as many times as you want.

Best,
Jeff
Reply all
Reply to author
Forward
0 new messages