Vault UI with Permissions - Way to give access to just specific secrets?

1,691 views
Skip to first unread message

Ray Terrill

unread,
Aug 2, 2018, 11:55:19 AM8/2/18
to Vault
We're using Vault's newly-released UI, and we'd like to provide Vault UI access to some specific secrets to less technical staff.

It looks like the Vault UI is requiring LIST on the secret/ endpoint to even show any secrets, which means people will be able to see many more secrets than they probably should. Similarly, even within a specific path like /secret/myapp, I'd like to only expose a few secrets under that path, not all secrets.

Is this possible?

Thanks.

Matthew Irish

unread,
Aug 2, 2018, 12:09:26 PM8/2/18
to vault...@googlegroups.com
Hello!

Currently listing is required in order to navigate down to specific secrets to read - in this way the UI acts like the CLI using the default LIST function from the API. As noted here - listing in the api does not filter keys: https://www.vaultproject.io/docs/concepts/policies.html#list 
Note that the keys returned by a list operation are not filtered by policies. Do not encode sensitive information in key names.

We do have plans to make it possible to only list the secrets you have access to in the UI, but don't have a target date for the implementation of that feature at this time.

thanks,
Matthew

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/45cb3c7d-c3cd-4a2d-a754-bb30e884dfe2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ray Terrill

unread,
Aug 2, 2018, 1:51:46 PM8/2/18
to Vault
Oof. I had a feeling that was the case. Thanks Matthew.

Geoff Webster

unread,
Aug 23, 2018, 1:54:29 AM8/23/18
to Vault
Is there an issue currently that I could follow on this?


On Thursday, August 2, 2018 at 9:09:26 AM UTC-7, Matthew Irish wrote:

Jeff Mitchell

unread,
Aug 24, 2018, 12:08:55 PM8/24/18
to Vault
Hi Geoff,

We have no plans to allow per-secret list filtering by arbitrary means, and the UI can't somehow circumvent Vault's restriction there, so I don't think there's really an issue to file here.

Best,
Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/236bd466-3203-4d24-a0c4-0c00faa8b57f%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages