Forked from greenbrian/HashiCorp Vault - methods of writing ACL policies
Created
October 5, 2021 18:14
-
-
Save solovyovk/a413c2f78929c088c9f0f3d8f7ec187f to your computer and use it in GitHub Desktop.
Revisions
-
greenbrian revised this gist
Feb 1, 2019 . 1 changed file with 14 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,14 @@ resource "vault_policy" "example" { name = "basic" policy = "${file("policies/basic.hcl")}" } # contents of basic.hcl path "sys/renew/*" { capabilities = ["update"] } # Allow renewal of token leases path "auth/token/renew/*" { capabilities = ["update"] } -
Sep 7, 2017 . 1 changed file with 11 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1 +1,11 @@ There are many methods for writing Vault policies. This gist was created to collect the most common methods such that they can be easily used as references for syntax, as well as evaluation for which method suits a particular purpose. TODO: - Add complex policy examples - Add @json.file examples - Add httpie examples -
Sep 7, 2017 . No changes.There are no files selected for viewing
-
Sep 7, 2017 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ There are many methods for writing Vault policies, I've just used this gist to collect the most common methods such that they can be easily used as references for syntax, as well as evaluation for which method suits a particular purpose. -
Sep 6, 2017 . No changes.There are no files selected for viewing
-
Sep 6, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,15 @@ curl \ --silent \ --header "X-Vault-Token: root" \ --request POST \ --data '{"rules":"path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}"}' \ http://127.0.0.1:8200/v1/sys/policy/test # read back policy curl \ --silent \ --header "X-Vault-Token: root" \ --request GET \ http://127.0.0.1:8200/v1/sys/policy/test | jq '.rules' "path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}" This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,24 @@ echo ' path "secret/foo" { capabilities = ["list","read"] } path "supersecret/*" { capabilities = ["list", "read"] } path "auth/token/lookup-self" { capabilities = ["create", "read"] } ' | vault policy-write user - ## read policy back #$ vault policies user path "secret/foo" { capabilities = ["list","read"] } path "supersecret/*" { capabilities = ["list", "read"] } path "auth/token/lookup-self" { capabilities = ["create", "read"] } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,56 @@ echo ' path "secret/foo" { capabilities = ["list","read"] } path "supersecret/*" { capabilities = ["list", "read"] } path "auth/token/lookup-self" { capabilities = ["create", "read"] } ' > policy.hcl vault policy-write test2 policy.hcl #################################################### # read back policy #$ vault policies test2 path "secret/foo" { capabilities = ["list","read"] } path "supersecret/*" { capabilities = ["list", "read"] } path "auth/token/lookup-self" { capabilities = ["create", "read"] } #################################################### vault read -format=json sys/policy/test2 { "request_id": "dae10a3f-1334-9cb9-df2e-4571d32c6530", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "name": "test2", "rules": "\npath \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n}\npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n}\npath \"auth/token/lookup-self\" {\n capabilities = [\"create\", \"read\"]\n}\n\n" }, "warnings": null } #################################################### vault read sys/policy/test2 Key Value --- ----- name test2 rules path "secret/foo" { capabilities = ["list","read"] } path "supersecret/*" { capabilities = ["list", "read"] } path "auth/token/lookup-self" { capabilities = ["create", "read"] }