Home > Software design >  HashiCorp Vault User Audit
HashiCorp Vault User Audit

Time:10-09

We're seeking a solution to enable us audit our HashiCorp Vault instance to obtain a namespace breakdown of:

  • For each Vault user, the roles or groups that their entity belongs to.

Having reviewed the Vault API explorer commands, it appears this is not a capability that is available using that utility. There's been a suggestion that the HashiCorp Vault API client (HVAC) for Python might be a possible solution, but my initial research doesn't appear to indicate so either.

Will an API client like Postman for instance be the possible answer? Any recommendations or suggestions on how we can perform this task?

CodePudding user response:

The API does provide that information, but the data is organized with groups containing users. You must gather the data this way and create a map as you go. As @furas commented, you will likely hit the limits of Postman trying to do that.

I see you tagged your question with Python, so here is the list of steps you need to do, with links to the corresponding Vault API documentation and HVAC wrapper:

  1. List groups by id to prime your loop. HVAC list_groups
  2. For each group in the list:
    1. Read the group detail to get the member_entity_ids list. HVAC read_group
    2. For each user in the group:
      1. Read the user details and save the results in a map (so that it can be indexed by user). HVAC read_entity
      2. Add the group that got you there in that user's data. Something like users[entity_id].groups.append(current_group['data']['name']).
  3. Print or export your map of users and their groups.

CodePudding user response:

@ixe013 's response is good but you also asked about roles. Some people do tie usernames / email addresses to auth method roles (especially OIDC) by listing them in the auth/oidc/role/${role_name} endpoint's bound_claims map. I'm not suggesting people should use this method, as it doesn't scale as well as the identity system groups, but for completeness it is worth mentioning, as there are indeed three places policies can be assigned: from identity system entity objects, from identity system groups, or from auth method role definitions. And policies are how you grant effective permissions in Vault, so this is completely relevant in an auditing context.

  • Related