The first version of the KV store does not separate data and metadata - thus writing access policies for this target is fairly simple.
VaultPass already expects you to separate credentials by the different organisations/teams/groups that want to access them.
The full path that VaultPass expects inside of your Vault installation looks like this: /secret/VaultPass/[ORG]/[REGEX]
where org represents the mentioned groups and the regex should match "something" in your URL.
In the following I will show you how to restrict access to your VaultPass credentials to groups in Vault. Since we currently only support login via LDAP and userpass - I recommend using the LDAP group mapping mechanism explained in the Vault Documentation
Additionally I assume that you are familiar with the model of Policies in Vault.
This document is only meant to be a quick getting started for people generally knowledgable in Vault. The files provided here are solely meant as examples and very likely do not express best practice or a secure installation.
default.hcl:
[...]
# Allow listing orgs in VaultPass
path "secret/vaultPass" {
capabilities = [
"list",
]
}
# Deny any access to vaultPass credentials by default
path "secret/vaultPass/*" {
capabilities = [
"deny",
]
}
vault write /sys/policy/default [email protected]
Assuming that org1
is a group in your Vault installation - this would be the policy you need to allow them access to their credentials.
Repeat this for every group that needs access to VaultPass.
org1.hcl:
# Allow org1 full access to their credentials
path "secret/vaultPass/org1/*" {
capabilities = [
"create",
"read",
"update",
"delete",
"list",
]
}
vault write /sys/policy/org1 [email protected]
Here is an example of how to fill your new group with a test credential:
testcreds.json:
{
"title": "Just testing",
"username": "testUser",
"password": "abc123",
"comment": "This is a test entry",
}
vault kv put secret/vaultPass/org1/e @testcreds.json
This will result in a "file" at the path vaultPass/org1/e which will match all URLs that contain at least one 'e'.