Manage secrets across namespaces
Enterprise Feature
Vault namespaces feature is a part of Vault Enterprise.
This tutorial demonstrates the capability introduced in Vault Enterprise 1.13.0. If you are not familiar with Vault Namespaces, complete the Secure Multi-Tenancy with Namespaces tutorial first. In addition, the Vault Namespace and Mount Structuring Guide provides some guidance on designing the namespace hierarchy.
Challenge
The purpose of Vault namespaces is to create an isolated Vault environment within a cluster so that each organization, team, or application can manage secrets independently. Therefore, Vault clients must authenticate into a specific target namespace where the secrets live.
In some use cases, this imposes a burden on the Vault clients especially if the client must read secrets from dozens of independent namespaces (namespaces with no hierarchical relationship). This operational overhead becomes more prominent when you are using Vault Agent to automate secrets management.
Tip
When namespaces have hierarchical relationship, you can write namespace-aware policies to allow access to secrets in the child namespaces.
Solution
Vault Enterprise 1.13.0 introduced the group_policy_application_mode
flag
which enables secrets sharing across multiple independent namespaces. With this
change, a single instance of the Vault Agent can fetch secrets across multiple
namespaces. (See Cross namespace secret sharing
for an Agent injector example.)
Tutorial example use case
This tutorial demonstrates the secrets management across namespaces
funcationality using the userpass
auth method, however, all auth methods are
supported. Refer to the configure cross namespace access
documentation
for more information.
Prerequisites
- Familiarity with Vault namespaces or completed the Secure Multi-Tenancy with Namespaces tutorial
- Vault Enterprise binary v1.13.0 or later
Lab setup
Open a terminal and set your Vault Enterprise license string as the value of the
VAULT_LICENSE
environment variable.Start a Vault dev server with
root
as the root token.The Vault dev server defaults to running at
127.0.0.1:8200
. The server is also initialized and unsealed.Insecure operation
Do not run a Vault dev server in production. This approach is only used here to simplify the unsealing process for this demonstration.
Export an environment variable for the
vault
CLI to address the Vault server.Export an environment variable for the
vault
CLI to authenticate with the Vault server.The Vault server is ready.
Scenario setup
To demonstrate the secrets sharing across namespaces, you need the following:
- New namespaces:
us-west-org
andus-east-org
- In the
us-west-org
namespace:- Enabled userpass auth method and created a "tam-user" with
customer-info-read-only
policy attached. The password is "my-long-password" - Enabled KV v2 secrets engine at
kv-customer-info
with some test data - Create a
customer-info-read-only
policy allowing to read secrets atkv-customer-info/data/*
- Created an identity entity, "TAM" and added "tam-user" as a member (an entity alias)
- Enabled userpass auth method and created a "tam-user" with
- In the
us-east-org
namespace:- Enabled KV v2 secrets engine at
kv-marketing
with some test data - Created a marketing-read-only policy allowing read permission on the
kv-marketing/data/campaign
path - Create an entity group named "campaign-admin" with the marketing-read-only policy attached
- Enabled KV v2 secrets engine at
Tip
If you are not familiar with entities and groups, read the Identity: Entities and Groups tutorial.
Use your preferred text editor, paste in the following to create a script to setup the Vault elements needed for demonstration.
lab-setup.shChange the file permission to make it executable.
Run the script.
Enable secrets sharing
Vault 1.13.0 introduced a new API endpoint,
sys/config/group-policy-application
which sets the
group_policy_application_mode
parameter to allow Vault clients to manage
secrets across multiple namespaces.
Look up the current setting.
The default setting is
within_namespace_hierarchy
.Set the parameter value to
any
.Output:
Read it back to verify.
Verification: Read secrets
Log in as "tam-user" and store the returned token in token.txt. Remember that auth methods are tied to the namespace they are configured. The "tam-user" is a user created in the userpass auth method in the us-west-org namespace.
Tip
You can ignore the returned warning about the VAULT_TOKEN environment variable to take precedence.Check to see if you can read the
kv-marketing/data/campaign
in the us-east-org namespace using the generated token.Output:
You can read the secrets in the
us-east-org
namespace.(Optional) The "tam-user" token has the
customer-info-read-only
policy attached. Therefore, you can read the secrets atkv-customer-info/
in the us-west-org namespace.Example output:
Revert back the parameter setting
Set the
group_policy_application_mode
parameter value back towithin_namespace_hierarchy
.Try to read the secrets again.
Output:
When the
group_policy_application_mode
parameter is set towithin_namespace_hierarchy
, you cannot access the secrets in the namespaces that has no hierarchical relationship.
Clean up
You can stop the Vault dev server by pressing Ctrl+C where the server is running. Or, execute the following command.
Unset the
VAULT_TOKEN
andVAULT_ADDR
environment variables.Remove the entity / token / accessor files.
Summary
This tutorial demonstrated the new API endpoint,
sys/config/group-policy-application
and its group_policy_application_mode
parameter introduced in Vault 1.13.0 to allow Vault clients to manage secrets
across multiple independent namespaces.
Although secrets engines, auth methods, policies, and tokens are tied to each namespaces, the entity group can pull entities and groups from other namespaces. If you are not familiar with entities and groups, read the Identity: Entities and Groups tutorial.