'Root policy in hcl for hashicorp vault
Is this a hashicorp vault policy so that it allows access to any resource and path within vault? I'm looking to enable an admin policy without granting root token access to anyone for obvious security reasons.
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
Solution 1:[1]
Hoping this admin policy is just used in development/test environnement. For obvious security reasons, it seems really unsafe to distribute such policy to anyone.
The Vault root token was designed by Hashicorp to allow you to create specific users with controlled policies at the first configuration of your Vault.
After this step, no one should possess such privilege right.
Solution 2:[2]
The policy @Wunderbread posted is the correct admin policy that can be applied to users without the need for a root token.
Solution 3:[3]
I use this admin policy that is able to : - Read system health check - Create and manage ACL policies broadly across Vault - Enable and manage authentication methods broadly across Vault - Manage the Key-Value secrets engine enabled at secret/ path
path "sys/health"
{
capabilities = ["read", "sudo"]
}
path "sys/policies/acl"
{
capabilities = ["list"]
}
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
path "sys/auth"
{
capabilities = ["read"]
}
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/mounts"
{
capabilities = ["read"]
}Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | wawazerty |
| Solution 2 | Clintm |
| Solution 3 | Mohamed DAHER YAHFOUFI |