Is there a way to "audit" access to a particular secret - i.e. determine all parties with access?
155 views
Skip to first unread message
Ray Terrill
Jun 14, 2018, 11:08:24 PM6/14/18
to Vault
Say I have an arbitrary secret /secret/mysecret - is there a way to see who has access to that (other than by inspecting all policies)?
Calvin Leung Huang
Jun 18, 2018, 1:18:54 PM6/18/18
to Vault
Ray,
There is no specific way to see who has access to a particular secret other than inspecting policies.
- Calvin
Dave Cottlehuber
Jun 20, 2018, 12:53:11 PM6/20/18
to vault...@googlegroups.com
On Mon, 18 Jun 2018, at 19:18, Calvin Leung Huang wrote:
> Ray,
>
> There is no specific way to see who has access to a particular secret other
> than inspecting policies.
>
> - Calvin
Thanks for the clarification Calvin.
> Ray,
>
> There is no specific way to see who has access to a particular secret other
> than inspecting policies.
>
> - Calvin
BTW when we decommissioned Novell File & Directory Services for Microsoft's Active Directory, policy verification was the feature I missed most. The ability to verify actual controls vs specified policies is part of many security audits, as are integration tests to programmers.
A+
Dave
Jeff Mitchell
Jun 20, 2018, 12:58:53 PM6/20/18
to Vault
Hi Dave,
We have an internal API that just came out that lets a token view a resultant set of policy. So far our use-case has been for UIs to better know what to show to the user as available options. However, we might be able to add the ability for this to be looked up via an accessor as well; that way anyone with appropriate access to view accessors for tokens could also understand the full set. Feel free to file a feature request on GitHub if you think this would work for you, and if you want to test it out now, you can run "vault read -format=json sys/internal/ui/resultant-acl" -- but you'll need 0.10.3.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1529513588.2625189.1414698272.01BF96C1%40webmail.messagingengine.com.
For more options, visit https://groups.google.com/d/optout.
Ray Terrill
Jun 20, 2018, 5:58:20 PM6/20/18
to Vault
Jeff -
What would be super slick for our use case is to be able to navigate to a particular secret in UI - then view that resultant set of policy granting access to that secret from the secret itself.
-Ray
J. Konrad Tegtmeier-Rottach
Jun 25, 2018, 5:34:27 PM6/25/18
to vault...@googlegroups.com
> We have an internal API that just came out that lets a token view a
> resultant set of policy. However, we might be able to add the
> ability for this to be looked up via an accessor as well; that way
> anyone with appropriate access to view accessors for tokens could
> also understand the full set.
I'd certainly be excited to see this become an official feature!
> anyone with appropriate access to view accessors for tokens could
> also understand the full set.
This seems quite handy for debugging and verifying permissions caused
by interacting policies, and for writing new ones, particularly when
there's a sizable corpus of existing policies involved.
It'd be particularly nice for these use-case if the endpoint for the
resultant policy itemized which policy(/ies) contributed to each of
the final resultant rules.
Regards,
KT
Reply all
Reply to author
Forward
0 new messages