open-vault/website/source/guides/identity/policies.html.md

604 lines
15 KiB
Markdown
Raw Normal View History

2018-01-18 01:39:21 +00:00
---
layout: "guides"
page_title: "Policies - Guides"
sidebar_current: "guides-identity-policies"
2018-01-18 01:39:21 +00:00
description: |-
Policies in Vault control what a user can access.
---
# Policies
In Vault, we use policies to govern the behavior of clients and instrument
2018-01-24 19:47:31 +00:00
Role-Based Access Control (RBAC) by specifying access privileges
(_authorization_).
2018-01-18 01:39:21 +00:00
When you first initialize Vault, the
[**`root`**](/docs/concepts/policies.html#root-policy) policy gets created by
default. The `root` policy is a special policy that gives superuser access to
_everything_ in Vault. This allows the superuser to set up initial policies,
tokens, etc.
In addition, another built-in policy,
[**`default`**](/docs/concepts/policies.html#default-policy), is created. The
2018-01-18 01:39:21 +00:00
`default` policy is attached to all tokens and provides common permissions.
2018-02-01 17:50:59 +00:00
Everything in Vault is path based, and admins write policies to grant or forbid
access to certain paths and operations in Vault. Vault operates on a **secure by
default** standard, and as such, an empty policy grants **no permissions** in the
system.
2018-01-18 01:39:21 +00:00
### HashiCorp Configuration Language (HCL)
Policies written in [HCL](https://github.com/hashicorp/hcl) format are often
2018-01-24 19:47:31 +00:00
referred as **_ACL Policies_**. [Sentinel](https://www.hashicorp.com/sentinel) is
2018-01-18 01:39:21 +00:00
another framework for policy which is available in [Vault
Enterprise](/docs/enterprise/index.html). Since Sentinel is an enterprise-only
2018-02-01 17:50:59 +00:00
feature, this guide focuses on writing ACL policies as a foundation.
2018-01-18 01:39:21 +00:00
**NOTE:** HCL is JSON compatible; therefore, JSON can be used as completely
valid input.
## Reference Material
- [Policies](/docs/concepts/policies.html#default-policy) documentation
- [Policy API](/api/system/policy.html) documentation
- [Getting Started guide](/intro/getting-started/policies.html) on policies
~> **NOTE:** An [interactive
tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policies) is
also available if you do not have a Vault environment to perform the steps
described in this guide.
2018-01-18 01:39:21 +00:00
## Estimated Time to Complete
10 minutes
2018-01-23 23:43:07 +00:00
## Personas
The scenario described in this guide introduces the following personas:
- **`root`** sets up initial policies for `admin`
- **`admin`** is empowered with managing a Vault infrastructure for a team or
organizations
- **`provisioner`** configures secret engines and creates policies for
2018-01-23 23:43:07 +00:00
client apps
2018-01-18 01:39:21 +00:00
## Challenge
Since Vault centrally secures, stores, and controls access to secrets across
2018-01-23 23:43:07 +00:00
distributed infrastructure and applications, it is critical to control
permissions before any user or machine can gain access.
2018-01-18 01:39:21 +00:00
## Solution
Restrict the use of root policy, and write fine-grained policies to practice
**least privileged**. For example, if an app gets AWS credentials from Vault,
write policy grants to `read` from AWS secret engine but not to `delete`, etc.
2018-01-18 01:39:21 +00:00
Policies are attached to tokens and roles to enforce client permissions on
Vault.
## Prerequisites
To perform the tasks described in this guide, you need to have a Vault
environment. Refer to the [Getting
2018-01-23 23:43:07 +00:00
Started](/intro/getting-started/install.html) guide to install Vault. Make sure
that your Vault server has been [initialized and
2018-01-18 01:39:21 +00:00
unsealed](/intro/getting-started/deploy.html).
### Policy requirements
2018-01-23 23:43:07 +00:00
Since this guide demonstrates the creation of an **`admin`** policy, log in with
**`root`** token if possible. Otherwise, make sure that you have the following
permissions:
```shell
# Manage auth methods broadly across Vault
2018-01-25 02:10:56 +00:00
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List, create, update, and delete auth methods
2018-01-25 02:10:56 +00:00
path "sys/auth/*"
{
capabilities = ["create", "read", "update", "delete", "sudo"]
}
# To list policies - Step 3
path "sys/policy"
{
capabilities = ["read"]
}
# Create and manage ACL policies broadly across Vault
2018-01-23 23:43:07 +00:00
path "sys/policy/*"
{
2018-01-25 02:10:56 +00:00
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-23 23:43:07 +00:00
}
2018-01-25 02:10:56 +00:00
# List, create, update, and delete key/value secrets
path "secret/*"
2018-01-23 23:43:07 +00:00
{
2018-01-25 02:10:56 +00:00
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage and manage secret engines broadly across Vault.
2018-01-25 02:10:56 +00:00
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Read health checks
path "sys/health"
{
capabilities = ["read", "sudo"]
2018-01-23 23:43:07 +00:00
}
# To perform Step 4
path "sys/capabilities"
{
capabilities = ["create", "update"]
}
# To perform Step 4
path "sys/capabilities-self"
{
capabilities = ["create", "update"]
}
```
2018-01-18 01:39:21 +00:00
## Steps
2018-01-23 23:43:07 +00:00
The basic workflow of creating policies is:
2018-01-30 00:41:44 +00:00
![Policy Creation Workflow](/assets/images/vault-policy-authoring-workflow.png)
2018-01-23 23:43:07 +00:00
2018-01-18 01:39:21 +00:00
This guide demonstrates basic policy authoring and management tasks.
2018-01-23 23:43:07 +00:00
1. [Write ACL policies in HCL format](#step1)
1. [Create policies](#step2)
1. [View existing policies](#step3)
1. [Check capabilities of a token](#step4)
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
### <a name="step1"></a>Step 1: Write ACL policies in HCL format
2018-01-18 01:39:21 +00:00
2018-05-16 00:43:35 +00:00
Remember, an empty policy grants **no permission** in the system. Therefore, ACL
2018-01-23 23:43:07 +00:00
policies are defined for each path.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```shell
path "<PATH>" {
2018-01-18 01:39:21 +00:00
capabilities = [ "<LIST_OF_CAPABILITIES>" ]
}
```
-> The path can have a wildcard ("`*`") at the end to allow for
2018-01-18 01:39:21 +00:00
namespacing. For example, "`secret/training_*`" grants permissions on any
path starting with "`secret/training_`" (e.g. `secret/training_vault`).
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
Define one or more [capabilities](/docs/concepts/policies.html#capabilities) on each path to control operations that are
2018-01-18 01:39:21 +00:00
permitted.
| Capability | Associated HTTP verbs |
| --------------- |------------------------|
| create | POST/PUT |
| read | GET |
| update | POST/PUT |
| delete | DELETE |
| list | LIST
#### Policy requirements
The first step in creating policies is to **gather policy requirements**.
2018-01-23 23:43:07 +00:00
**Example:**
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
**`admin`** is a type of user empowered with managing a Vault infrastructure for
a team or organizations. Empowered with sudo, the Administrator is focused on
configuring and maintaining the health of Vault cluster(s) as well as
providing bespoke support to Vault users.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
`admin` must be able to:
2018-01-18 01:39:21 +00:00
- Mount and manage auth methods broadly across Vault
- Mount and manage secret engines broadly across Vault
2018-01-23 23:43:07 +00:00
- Create and manage ACL policies broadly across Vault
- Read system health check
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
**`provisioner`** is a type of user or service that will be used by an automated
tool (e.g. Terraform) to provision and configure a namespace within a Vault
secret engine for a new Vault user to access and write secrets.
2018-01-23 23:43:07 +00:00
`provisioner` must be able to:
- Mount and manage auth methods
- Mount and manage secret engines
2018-01-23 23:43:07 +00:00
- Create and manage ACL policies
2018-01-18 01:39:21 +00:00
Now, you are ready to author policies to fulfill these requirements.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
#### Example policy for admin
`admin-policy.hcl`
2018-01-18 01:39:21 +00:00
```shell
# Manage auth methods broadly across Vault
2018-01-23 23:43:07 +00:00
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List, create, update, and delete auth methods
2018-01-23 23:43:07 +00:00
path "sys/auth/*"
{
capabilities = ["create", "read", "update", "delete", "sudo"]
}
2018-01-25 02:10:56 +00:00
# List existing policies
path "sys/policy"
{
capabilities = ["read"]
}
2018-01-23 23:43:07 +00:00
# Create and manage ACL policies broadly across Vault
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
2018-01-23 23:43:07 +00:00
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
# Manage and manage secret engines broadly across Vault.
2018-01-23 23:43:07 +00:00
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secret engines.
path "sys/mounts"
{
capabilities = ["read"]
}
2018-01-23 23:43:07 +00:00
# Read health checks
path "sys/health"
{
capabilities = ["read", "sudo"]
2018-01-18 01:39:21 +00:00
}
```
2018-01-23 23:43:07 +00:00
#### Example policy for provisioner
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
`provisioner-policy.hcl`
2018-01-18 01:39:21 +00:00
```shell
# Manage auth methods broadly across Vault
2018-01-23 23:43:07 +00:00
path "auth/*"
{
2018-01-25 02:10:56 +00:00
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
# List, create, update, and delete auth methods
2018-01-23 23:43:07 +00:00
path "sys/auth/*"
{
2018-01-25 02:10:56 +00:00
capabilities = ["create", "read", "update", "delete", "sudo"]
2018-01-23 23:43:07 +00:00
}
# List existing policies
path "sys/policy"
{
capabilities = ["read"]
}
2018-01-23 23:43:07 +00:00
# Create and manage ACL policies
path "sys/policy/*"
{
2018-01-18 01:39:21 +00:00
capabilities = ["create", "read", "update", "delete", "list"]
}
2018-01-23 23:43:07 +00:00
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
2018-01-18 01:39:21 +00:00
}
```
2018-01-23 23:43:07 +00:00
### <a name="step2"></a>Step 2: Create policies
Now, create `admin` and `provisioner` policies in Vault.
2018-01-18 01:39:21 +00:00
#### CLI command
2018-01-23 23:43:07 +00:00
To create policies:
```shell
$ vault policy write <POLICY_NAME> <POLICY_FILE>
2018-01-23 23:43:07 +00:00
```
**Example:**
2018-01-18 01:39:21 +00:00
```shell
2018-01-23 23:43:07 +00:00
# Create admin policy
$ vault policy write admin admin-policy.hcl
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
# Create provisioner policy
$ vault policy write provisioner provisioner-policy.hcl
2018-01-18 01:39:21 +00:00
```
**NOTE:** To update an existing policy, simply re-run the same command by
passing your modified policy (`*.hcl`).
#### API call using cURL
To create a policy, use the `/sys/policy` endpoint:
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```shell
$ curl --header "X-Vault-Token: <TOKEN>" \
--request PUT \
--data <PAYLOAD> \
<VAULT_ADDRESS>/v1/sys/policy/<POLICY_NAME>
```
2018-01-18 01:39:21 +00:00
Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
2018-03-20 18:54:10 +00:00
stringified policy.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
**Example:**
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
Now, create `admin` and `provisioner` policies:
2018-01-18 01:39:21 +00:00
```shell
2018-01-23 23:43:07 +00:00
# Create admin policy
$ curl --request PUT --header "X-Vault-Token: ..." --data @admin-payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/policy/admin
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
$ cat admin-payload.json
2018-01-18 01:39:21 +00:00
{
2018-01-23 23:43:07 +00:00
"policy": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", ... }"
2018-01-18 01:39:21 +00:00
}
2018-01-23 23:43:07 +00:00
# Create provisioner policy
$ curl --request PUT --header "X-Vault-Token: ..." --data @provisioner-payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/policy/provisioner
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
$ cat provisioner-payload.json
2018-01-18 01:39:21 +00:00
{
2018-01-23 23:43:07 +00:00
"policy": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", ... }"
2018-01-18 01:39:21 +00:00
}
```
-> NOTE: You can also use the `/sys/policies` endpoint which is used to manage
2018-01-23 23:43:07 +00:00
ACL, RGP, and EGP policies in Vault (RGP and EGP policies are enterprise-only
features). To list policies, invoke the `/sys/policies/acl` endpoint.
2018-01-23 23:43:07 +00:00
2018-01-18 01:39:21 +00:00
**NOTE:** To update an existing policy, simply re-run the same command by
passing your modified policy in the request payload (`*.json`).
2018-01-23 23:43:07 +00:00
### <a name="step3"></a>Step 3: View existing policies
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
Make sure that you see the policies you created in [Step 2](#step2).
2018-01-18 01:39:21 +00:00
#### CLI command
The following command lists existing policies:
```shell
$ vault policy list
2018-01-18 01:39:21 +00:00
```
To view a specific policy:
```shell
$ vault policy read <POLICY_NAME>
2018-01-18 01:39:21 +00:00
```
**Example:**
```shell
2018-01-23 23:43:07 +00:00
# Read admin policy
$ vault policy read admin
# Mount and manage auth methods broadly across Vault
2018-01-23 23:43:07 +00:00
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
2018-01-23 23:43:07 +00:00
path "sys/auth/*"
{
capabilities = ["create", "read", "update", "delete", "sudo"]
2018-01-18 01:39:21 +00:00
}
2018-01-23 23:43:07 +00:00
# Create and manage ACL policies broadly across Vault
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
...
```
#### API call using cURL
To list existing ACL policies, use the `/sys/policy` endpoint.
2018-01-23 23:43:07 +00:00
```shell
2018-03-23 15:41:51 +00:00
$ curl --request LIST --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policy | jq
2018-01-18 01:39:21 +00:00
```
To read a specific policy, the endpoint path should be
`/sys/policy/<POLICY_NAME>`.
**Example:**
2018-01-23 23:43:07 +00:00
Read the admin policy:
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```plaintext
2018-03-23 15:41:51 +00:00
$ curl --request GET --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policy/admin | jq
2018-01-18 01:39:21 +00:00
{
2018-01-23 23:43:07 +00:00
"name": "admin",
"rules": "# Mount and manage auth methods broadly across Vault\npath \"auth/*\"\n{\n ...",
2018-01-23 23:43:07 +00:00
"request_id": "e8151bf3-8136-fef9-428b-1506042350cf",
2018-01-18 01:39:21 +00:00
"lease_id": "",
"renewable": false,
"lease_duration": 0,
2018-01-23 23:43:07 +00:00
"data": {
2018-01-18 01:39:21 +00:00
...
```
2018-01-23 23:43:07 +00:00
### <a name="step4"></a>Step 4: Check capabilities of a token
2018-01-18 01:39:21 +00:00
Use the `/sys/capabilities` endpoint to fetch the capabilities of a token on a
given path. This helps to verify what operations are granted based on the
policies attached to the token.
#### CLI command
The command is:
```shell
$ vault token capabilities <TOKEN> <PATH>
2018-01-18 01:39:21 +00:00
```
**Example:**
2018-01-23 23:43:07 +00:00
First, create a token attached to `admin` policy:
```shell
$ vault token create -policy="admin"
2018-01-23 23:43:07 +00:00
Key Value
--- -----
token 79ecdd41-9bac-1ac7-1ee4-99fbce796221
token_accessor 39b5e8b5-7bbf-6c6d-c536-ba79d3a80dd5
token_duration 768h0m0s
token_renewable true
token_policies [admin default]
```
Now, fetch the capabilities of this token on the `sys/auth/approle` path.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```plaintext
$ vault token capabilities 79ecdd41-9bac-1ac7-1ee4-99fbce796221 sys/auth/approle
2018-01-23 23:43:07 +00:00
Capabilities: [create delete read sudo update]
2018-01-18 01:39:21 +00:00
```
The result should match the policy rule you wrote on the `sys/auth/*` path. You can
2018-01-23 23:43:07 +00:00
repeat the steps to generate a token for `provisioner` and check its
capabilities on paths.
In the absence of a token, it returns the capabilities of the current token invoking this
2018-01-18 01:39:21 +00:00
command.
```shell
$ vault token capabilities sys/auth/approle
2018-01-23 23:43:07 +00:00
Capabilities: [root]
2018-01-18 01:39:21 +00:00
```
#### API call using cURL
Use the `sys/capabilities` endpoint.
**Example:**
First, create a token attached to the `admin` policy:
2018-01-23 23:43:07 +00:00
```shell
$ curl --request POST --header "X-Vault-Token: ..." --data '{ "policies":"admin" }' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/create
2018-01-23 23:43:07 +00:00
{
"request_id": "870ef38c-1401-7beb-633c-ff09cca3db68",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "9f3a9fbb-4e1a-87c3-9d4d-ee4d96d40af1",
"accessor": "f8a269c0-153a-c1ea-ae97-e7e964814392",
"policies": [
"root"
],
"metadata": null,
"lease_duration": 0,
"renewable": false,
"entity_id": ""
}
}
```
2018-01-18 01:39:21 +00:00
Now, fetch the capabilities of this token on the `sys/auth/approle` path.
2018-01-23 23:43:07 +00:00
```shell
# Request payload
2018-01-18 01:39:21 +00:00
$ cat payload.json
{
2018-01-23 23:43:07 +00:00
"token": "9f3a9fbb-4e1a-87c3-9d4d-ee4d96d40af1",
"path": "sys/auth/approle"
}
$ curl --request POST --header "X-Vault-Token: ..." --data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/capabilities
2018-01-23 23:43:07 +00:00
{
"capabilities": [
"create",
"delete",
"read",
"sudo",
"update"
],
"request_id": "03f9d5e2-7e8a-4cd3-b9e9-034c058d3d06",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"capabilities": [
"create",
"delete",
"read",
"sudo",
"update"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
2018-01-18 01:39:21 +00:00
}
```
The result should match the policy rule you wrote on the `sys/auth/*` path. You can
2018-01-23 23:43:07 +00:00
repeat the steps to generate a token for `provisioner` and check its
capabilities on paths.
To check the current token's capabilities permitted on a path, use
the `sys/capabilities-self` endpoint.
2018-01-18 01:39:21 +00:00
```plaintext
2018-01-23 23:43:07 +00:00
$ curl --request POST --header "X-Vault-Token: ..." --data '{"path":"sys/auth/approle"}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/sys/capabilities-self
2018-01-18 01:39:21 +00:00
```
## Next steps
In this guide, you learned how to write policies based on given policy
requirements. Next, the [AppRole Pull Authentication](/guides/identity/authentication.html)
2018-01-18 01:39:21 +00:00
guide demonstrates how to associate policies to a role.
To learn about Sentinel policies, refer to the [Sentinel
2018-08-06 22:50:39 +00:00
Policies](/guides/identity/sentinel.html) guide.