Create Vault Policies CLI
Challenge
Since Vault centrally secures, stores, and controls access to secrets across distributed infrastructure and applications, it is critical to control permissions before any user or machine can gain access.
Solution
Restrict the use of root policy, and write fine-grained policies to practice least privileged. For example, if an app gets AWS credentials from Vault, write policy grants to read from AWS secrets engine but not to delete, etc.
Policies are attached to tokens and roles to enforce client permissions on Vault.
Prerequisites
To perform the tasks described in this tutorial, you need to have a Vault environment. Refer to the Getting Started tutorial to install Vault. Make sure that your Vault server has been initialized and unsealed.
Write a policy
The first step to create gather policy requirements.
An admin user must be able to:
- Read system health check
- Create and manage ACL policies broadly across Vault
- Enable and manage authentication methods broadly across Vault
- Manage the Key-Value secrets engine enabled at secret/ path
- Define the admin policy in the file named admin-policy.hcl.
tee admin-policy.hcl <<EOF
# Read system health check
path "sys/health"
{
capabilities = ["read", "sudo"]
}
# Create and manage ACL policies broadly across Vault
# List existing policies
path "sys/policies/acl"
{
capabilities = ["list"]
}
# Create and manage ACL policies
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Enable and manage authentication methods broadly across Vault
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
}
# Enable and manage the key/value secrets engine at `secret/` path
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secrets engines.
path "sys/mounts"
{
capabilities = ["read"]
}
EOF
A policy define one or more paths and a list of permitted capabilities. Most of these capabilities map to the HTTP verbs supported by the Vault API.
| Capability | Associated HTTP verbs |
|---|---|
| create | POST/PUT |
| read | GET |
| update | POST/PUT |
| delete | DELETE |
| list | LIST |
| patch | PATCH |
| sudo | - |
| deny | - |
The sudo capability allows access to paths that are root-protected (Refer to the Root protected endpoints section).
The deny capability disables access to the path. When combined with other capabilities it always precedence.
Create a policy
- Create an admin policy
vault policy write admin admin-policy.hcl
Display a policy
2. List all the policies.
vault policy list
3. Read the admin policy.
vault policy read admin
The output displays the paths and capabilities defined for this policy.
Check token capabilities
A token is able to display its capabilities for a path. This provides a way to verify the capabilities granted or denying by all of its attached policies.
4. Create a token with the admin policy attached and store the token in the variable ADMIN_TOKEN.
ADMIN_TOKEN=$(vault token create -format=json -policy="admin" | jq -r ".auth.client_token")
5. Display the ADMIN_TOKEN.
echo $ADMIN_TOKEN
The admin policy defines capabilities for the path sys/auth/*.
6. Retrieve the capabilities of this token for the sys/auth/approle path.
vault token capabilities $ADMIN_TOKEN sys/auth/approle
The output displays that this token has create, delete, read, sudo, update capabilities for this path.
7. Retrieve the capabilities of this token for a path not defined in the policy.
vault token capabilities $ADMIN_TOKEN identity/entity
The output displays that this token has no capabilities (deny) for this path.