# https://www.vaultproject.io/api-docs/auth/userpass#update-password-on-user: # Allow humans to change their own password. Per HashiCorp's Jeff Mitchell at # https://github.com/hashicorp/vault/issues/6590#issuecomment-531620507 we're # not using an 'allowed_parameters' limitation. Instead we directly use the # '/password' endpoint. This permits users to change their password via API and # Vault CLI client but not via UI. path "auth/userpass/users/{{identity.entity.aliases.ACCESSOR.name}}/password" { capabilities = [ "update" ] } # The following policies extend permissions to also change password via UI. Note # that this (the second one below) grants permission to /see/ all existing # userpass usernames. If password changes via UI are important enough you may # want to live with this limitation. By default below policies remain commented # out. # path "sys/auth" { # capabilities = ["read"] # } # # path "auth/userpass/users/*" { # capabilities = ["list"] # # } # path "auth/userpass/users/{{identity.entity.aliases.ACCESSOR.name}}" { # capabilities = ["read"] # }