Quico/vault-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs(config): Add a policy that permits writing but not reading secrets

Browse Source
This commit is contained in:
hygienic-books 2022-06-08 01:55:58 +02:00
parent ace725a177
commit e59fee211a
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -19,7 +19,7 @@ Refer to [config/vault.hcl](config/vault.hcl) for content.
## Configure
Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes:
* Add policies from [policies](policies) subdirectory into Vault
* Add policies from [policies/role-administrator](policies/role-administrator) subdirectory into Vault
* Create group `administrators`
* Assign policies `administrator` and `auditor` to that group
* Create one entity to represent yourself as an administrator
@ -100,6 +100,12 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
From here on out it's just more of what you already did, feel free to make this fit your own approach.
* Optionally from [policies/role-kv-writer/kv-writer.hcl](policies/role-kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location.
Permission to also read/view secrets is commented out in the policy file in case you do need this feature.
Assign the policy to a group as needed.
## Clean-up
If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.

24
policies/role-kv-writer/kv-writer.hcl Normal file
View File

@ -0,0 +1,24 @@
# Allow listing secret parent-child connections (as in UI hierarchy)
path "kv/metadata/*"
{
capabilities = ["list"]
}
# Allow creation of new secrets and writing new versions for existing ones
path "kv/data/*"
{
capabilities = ["create", "update"]
}
# Allow viewing secret metadata such as whether or not versions of a secrets
# exist anf if so how many.
# path "kv/metadata/*"
# {
# capabilities = ["read"]
# }
# Allow seeing/retrieving plain-text secrets
# path "kv/data/*"
# {
# capabilities = ["read"]
# }