From f9c7e74524582e16ce1af40ee20488997237b93d Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Tue, 7 Jun 2022 03:49:37 +0200 Subject: [PATCH] docs(config): Get started on config management --- README.md | 6 ++++++ policies/role-cfgmgmt/cfgmgmt.hcl | 4 ++++ 2 files changed, 10 insertions(+) create mode 100644 policies/role-cfgmgmt/cfgmgmt.hcl diff --git a/README.md b/README.md index 11d6ba6..0705821 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,12 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va ``` Entity IDs are coming from `vault list identity/entity/id` and/or `vault read identity/entity/name/`. +* Optionally [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl) gets you started with read-only secrets access for example for a config management tool like Ansible. + + You'll want to create an Ansible entity with an alias, create both a `token` and a `userpass` alias and use the latter one to authenticate against Vault to retrieve a token. You'll likely want a distinct group where your Ansible entity becomes a member and which uses a policy such as the example at [policies/role-cfgmgmt/cfgmgmt.hcl](policies/role-cfgmgmt/cfgmgmt.hcl). + + From here on out just more of what you already did so feel free to make this fit your own approach. + ## Clean-up If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token. diff --git a/policies/role-cfgmgmt/cfgmgmt.hcl b/policies/role-cfgmgmt/cfgmgmt.hcl new file mode 100644 index 0000000..a3f7a0e --- /dev/null +++ b/policies/role-cfgmgmt/cfgmgmt.hcl @@ -0,0 +1,4 @@ +# Grant read-only access to secrets +path "kv/data/name/domain/qualified/fully/os/root/creds" { + capabilities = ["read"] +}