I have set up HashiCorp vault in our environment with ldap/active directory and the ssh secrets engine, providing users with a signed cert to access linux servers.
I've set up some AD groups, for example:
Access - SSH Admin Standard # Gives access to standard linux servers via "ssh-admin-standard-policy" Access - Vault Admin # Vault admins with super user access via "superadmin"
ssh-admin-standard-policy
path "ssh/roles/*" {
capabilities = ["read"]
}
path "sys/mounts*" {
capabilities = ["read", "list"]
}
path "ssh/sign/ssh-admin-standard" {
capabilities = ["create", "update"]
}
and superadmin
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
Now when I login as a user that has both AD Groups I get:
➜ ~ vault login -method=ldap username="clarg"
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token
token_accessor
token_duration 768h
token_renewable true
token_policies ["default" "ssh-admin-standard" "superadmin"]
identity_policies []
policies ["default" "ssh-admin-standard" "superadmin"]
token_meta_username clarg
But when I try to do superadmin things, I get permission denied. When I googled this, I found that the Vault, the most restrictive policy wins, in this case the "ssh-admin-standard-policy" policy which restricts ssh/roles to read only.
My question is how am I supposed to manage superuser access? For now I am using the root key while I am setting it up but I want to delete that.