doc: Add an example of templated policy using k8s metadata (#9101)

2020-05-29 02:54:56 +02:00 · 2020-05-29 02:54:56 +02:00 · 3a07bd0bc4
parent a8ed7d3edd
commit 3a07bd0bc4
1 changed files with 23 additions and 0 deletions
--- a/website/pages/docs/concepts/policies.mdx
+++ b/website/pages/docs/concepts/policies.mdx
@ -295,6 +295,29 @@ unique to the user, whereas names can change over time and can be reused. This
 ensures that if a given user or group name is changed, the policy will be
 mapped to the intended entity or group.

+If you want to use the metadata associated with an authentication plugin in your
+templates, you will need to get its _mount accessor_ and access it via the
+`aliases` key.
+
+You can get the mount accessor value using the following command:
+
+```shellsession
+$> vault auth list
+Path           Type          Accessor                    Description
+----           ----          --------                    -----------
+kubernetes/    kubernetes    auth_kubernetes_xxxx        n/a
+token/         token         auth_token_yyyy             token based credentials
+```
+
+The following templated policy allow to read the path associated with the
+Kubernetes service account namespace of the identity:
+
+```ruby
+path "secrets/data/{{identity.entity.aliases.auth_kubernetes_xxxx.metadata.service_account_namespace}}/*" {
+  capabilities = ["read"]
+}
+```
+
 ## Fine-Grained Control

 In addition to the standard set of capabilities, Vault offers finer-grained