2018-01-18 01:39:21 +00:00
|
|
|
---
|
|
|
|
layout: "guides"
|
|
|
|
page_title: "Policies - Guides"
|
2018-02-23 00:24:01 +00:00
|
|
|
sidebar_current: "guides-identity-policies"
|
2018-01-18 01:39:21 +00:00
|
|
|
description: |-
|
|
|
|
Policies in Vault control what a user can access.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Policies
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
In Vault, we use policies to govern the behavior of clients and instrument
|
2018-01-24 19:47:31 +00:00
|
|
|
Role-Based Access Control (RBAC) by specifying access privileges
|
2018-01-25 00:01:44 +00:00
|
|
|
(_authorization_).
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
When you first initialize Vault, the
|
|
|
|
[**`root`**](/docs/concepts/policies.html#root-policy) policy gets created by
|
|
|
|
default. The `root` policy is a special policy that gives superuser access to
|
|
|
|
_everything_ in Vault. This allows the superuser to set up initial policies,
|
|
|
|
tokens, etc.
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
In addition, another built-in policy,
|
|
|
|
[**`default`**](/docs/concepts/policies.html#default-policy), is created. The
|
2018-01-18 01:39:21 +00:00
|
|
|
`default` policy is attached to all tokens and provides common permissions.
|
|
|
|
|
2018-02-01 17:50:59 +00:00
|
|
|
Everything in Vault is path based, and admins write policies to grant or forbid
|
|
|
|
access to certain paths and operations in Vault. Vault operates on a **secure by
|
2018-03-19 21:56:45 +00:00
|
|
|
default** standard, and as such, an empty policy grants **no permissions** in the
|
2018-01-25 00:01:44 +00:00
|
|
|
system.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
|
|
|
|
### HashiCorp Configuration Language (HCL)
|
|
|
|
|
|
|
|
Policies written in [HCL](https://github.com/hashicorp/hcl) format are often
|
2018-01-24 19:47:31 +00:00
|
|
|
referred as **_ACL Policies_**. [Sentinel](https://www.hashicorp.com/sentinel) is
|
2018-01-18 01:39:21 +00:00
|
|
|
another framework for policy which is available in [Vault
|
|
|
|
Enterprise](/docs/enterprise/index.html). Since Sentinel is an enterprise-only
|
2018-02-01 17:50:59 +00:00
|
|
|
feature, this guide focuses on writing ACL policies as a foundation.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
**NOTE:** HCL is JSON compatible; therefore, JSON can be used as completely
|
|
|
|
valid input.
|
|
|
|
|
|
|
|
## Reference Material
|
|
|
|
|
|
|
|
- [Policies](/docs/concepts/policies.html#default-policy) documentation
|
|
|
|
- [Policy API](/api/system/policy.html) documentation
|
|
|
|
- [Getting Started guide](/intro/getting-started/policies.html) on policies
|
|
|
|
|
2018-07-31 16:19:23 +00:00
|
|
|
~> **NOTE:** An [interactive
|
|
|
|
tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policies) is
|
|
|
|
also available if you do not have a Vault environment to perform the steps
|
|
|
|
described in this guide.
|
|
|
|
|
|
|
|
|
2018-01-18 01:39:21 +00:00
|
|
|
## Estimated Time to Complete
|
|
|
|
|
|
|
|
10 minutes
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
## Personas
|
|
|
|
|
|
|
|
The scenario described in this guide introduces the following personas:
|
|
|
|
|
|
|
|
- **`root`** sets up initial policies for `admin`
|
|
|
|
- **`admin`** is empowered with managing a Vault infrastructure for a team or
|
|
|
|
organizations
|
2018-03-19 21:56:45 +00:00
|
|
|
- **`provisioner`** configures secret engines and creates policies for
|
2018-01-23 23:43:07 +00:00
|
|
|
client apps
|
|
|
|
|
|
|
|
|
2018-01-18 01:39:21 +00:00
|
|
|
## Challenge
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
Since Vault centrally secures, stores, and controls access to secrets across
|
2018-01-23 23:43:07 +00:00
|
|
|
distributed infrastructure and applications, it is critical to control
|
|
|
|
permissions before any user or machine can gain access.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Solution
|
|
|
|
|
|
|
|
Restrict the use of root policy, and write fine-grained policies to practice
|
|
|
|
**least privileged**. For example, if an app gets AWS credentials from Vault,
|
2018-03-19 21:56:45 +00:00
|
|
|
write policy grants to `read` from AWS secret engine but not to `delete`, etc.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
Policies are attached to tokens and roles to enforce client permissions on
|
|
|
|
Vault.
|
|
|
|
|
|
|
|
|
|
|
|
## Prerequisites
|
|
|
|
|
|
|
|
To perform the tasks described in this guide, you need to have a Vault
|
|
|
|
environment. Refer to the [Getting
|
2018-01-23 23:43:07 +00:00
|
|
|
Started](/intro/getting-started/install.html) guide to install Vault. Make sure
|
|
|
|
that your Vault server has been [initialized and
|
2018-01-18 01:39:21 +00:00
|
|
|
unsealed](/intro/getting-started/deploy.html).
|
|
|
|
|
2018-01-25 00:01:44 +00:00
|
|
|
### Policy requirements
|
2018-01-23 23:43:07 +00:00
|
|
|
|
|
|
|
Since this guide demonstrates the creation of an **`admin`** policy, log in with
|
|
|
|
**`root`** token if possible. Otherwise, make sure that you have the following
|
|
|
|
permissions:
|
|
|
|
|
|
|
|
```shell
|
2018-03-19 21:56:45 +00:00
|
|
|
# Manage auth methods broadly across Vault
|
2018-01-25 02:10:56 +00:00
|
|
|
path "auth/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
}
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
# List, create, update, and delete auth methods
|
2018-01-25 02:10:56 +00:00
|
|
|
path "sys/auth/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "sudo"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# To list policies - Step 3
|
|
|
|
path "sys/policy"
|
|
|
|
{
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Create and manage ACL policies broadly across Vault
|
2018-01-23 23:43:07 +00:00
|
|
|
path "sys/policy/*"
|
|
|
|
{
|
2018-01-25 02:10:56 +00:00
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
2018-01-23 23:43:07 +00:00
|
|
|
}
|
|
|
|
|
2018-01-25 02:10:56 +00:00
|
|
|
# List, create, update, and delete key/value secrets
|
|
|
|
path "secret/*"
|
2018-01-23 23:43:07 +00:00
|
|
|
{
|
2018-01-25 02:10:56 +00:00
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
}
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
# Manage and manage secret engines broadly across Vault.
|
2018-01-25 02:10:56 +00:00
|
|
|
path "sys/mounts/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# Read health checks
|
|
|
|
path "sys/health"
|
|
|
|
{
|
|
|
|
capabilities = ["read", "sudo"]
|
2018-01-23 23:43:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# To perform Step 4
|
|
|
|
path "sys/capabilities"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "update"]
|
|
|
|
}
|
|
|
|
|
|
|
|
# To perform Step 4
|
|
|
|
path "sys/capabilities-self"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "update"]
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
|
2018-01-18 01:39:21 +00:00
|
|
|
## Steps
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
The basic workflow of creating policies is:
|
|
|
|
|
2018-01-30 00:41:44 +00:00
|
|
|
![Policy Creation Workflow](/assets/images/vault-policy-authoring-workflow.png)
|
2018-01-23 23:43:07 +00:00
|
|
|
|
2018-01-18 01:39:21 +00:00
|
|
|
This guide demonstrates basic policy authoring and management tasks.
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
1. [Write ACL policies in HCL format](#step1)
|
2018-03-19 21:56:45 +00:00
|
|
|
1. [Create policies](#step2)
|
|
|
|
1. [View existing policies](#step3)
|
|
|
|
1. [Check capabilities of a token](#step4)
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
### <a name="step1"></a>Step 1: Write ACL policies in HCL format
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-05-16 00:43:35 +00:00
|
|
|
Remember, an empty policy grants **no permission** in the system. Therefore, ACL
|
2018-01-23 23:43:07 +00:00
|
|
|
policies are defined for each path.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
```shell
|
|
|
|
path "<PATH>" {
|
2018-01-18 01:39:21 +00:00
|
|
|
capabilities = [ "<LIST_OF_CAPABILITIES>" ]
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
-> The path can have a wildcard ("`*`") at the end to allow for
|
2018-01-18 01:39:21 +00:00
|
|
|
namespacing. For example, "`secret/training_*`" grants permissions on any
|
2018-03-19 21:56:45 +00:00
|
|
|
path starting with "`secret/training_`" (e.g. `secret/training_vault`).
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Define one or more [capabilities](/docs/concepts/policies.html#capabilities) on each path to control operations that are
|
2018-01-18 01:39:21 +00:00
|
|
|
permitted.
|
|
|
|
|
|
|
|
| Capability | Associated HTTP verbs |
|
|
|
|
| --------------- |------------------------|
|
|
|
|
| create | POST/PUT |
|
|
|
|
| read | GET |
|
|
|
|
| update | POST/PUT |
|
|
|
|
| delete | DELETE |
|
|
|
|
| list | LIST
|
|
|
|
|
|
|
|
|
|
|
|
#### Policy requirements
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
The first step in creating policies is to **gather policy requirements**.
|
2018-01-23 23:43:07 +00:00
|
|
|
|
|
|
|
**Example:**
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
**`admin`** is a type of user empowered with managing a Vault infrastructure for
|
|
|
|
a team or organizations. Empowered with sudo, the Administrator is focused on
|
|
|
|
configuring and maintaining the health of Vault cluster(s) as well as
|
|
|
|
providing bespoke support to Vault users.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
`admin` must be able to:
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
- Mount and manage auth methods broadly across Vault
|
|
|
|
- Mount and manage secret engines broadly across Vault
|
2018-01-23 23:43:07 +00:00
|
|
|
- Create and manage ACL policies broadly across Vault
|
|
|
|
- Read system health check
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
**`provisioner`** is a type of user or service that will be used by an automated
|
|
|
|
tool (e.g. Terraform) to provision and configure a namespace within a Vault
|
2018-03-19 21:56:45 +00:00
|
|
|
secret engine for a new Vault user to access and write secrets.
|
2018-01-23 23:43:07 +00:00
|
|
|
|
|
|
|
`provisioner` must be able to:
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
- Mount and manage auth methods
|
|
|
|
- Mount and manage secret engines
|
2018-01-23 23:43:07 +00:00
|
|
|
- Create and manage ACL policies
|
|
|
|
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
Now, you are ready to author policies to fulfill these requirements.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
#### Example policy for admin
|
|
|
|
|
|
|
|
`admin-policy.hcl`
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
```shell
|
2018-03-19 21:56:45 +00:00
|
|
|
# Manage auth methods broadly across Vault
|
2018-01-23 23:43:07 +00:00
|
|
|
path "auth/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
}
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
# List, create, update, and delete auth methods
|
2018-01-23 23:43:07 +00:00
|
|
|
path "sys/auth/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "sudo"]
|
|
|
|
}
|
|
|
|
|
2018-01-25 02:10:56 +00:00
|
|
|
# List existing policies
|
|
|
|
path "sys/policy"
|
|
|
|
{
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# Create and manage ACL policies broadly across Vault
|
|
|
|
path "sys/policy/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# List, create, update, and delete key/value secrets
|
|
|
|
path "secret/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
# Manage and manage secret engines broadly across Vault.
|
2018-01-23 23:43:07 +00:00
|
|
|
path "sys/mounts/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
}
|
|
|
|
|
2018-08-07 17:35:23 +00:00
|
|
|
# List existing secret engines.
|
|
|
|
path "sys/mounts"
|
|
|
|
{
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# Read health checks
|
|
|
|
path "sys/health"
|
|
|
|
{
|
|
|
|
capabilities = ["read", "sudo"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
#### Example policy for provisioner
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
`provisioner-policy.hcl`
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
```shell
|
2018-03-19 21:56:45 +00:00
|
|
|
# Manage auth methods broadly across Vault
|
2018-01-23 23:43:07 +00:00
|
|
|
path "auth/*"
|
|
|
|
{
|
2018-01-25 02:10:56 +00:00
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
# List, create, update, and delete auth methods
|
2018-01-23 23:43:07 +00:00
|
|
|
path "sys/auth/*"
|
|
|
|
{
|
2018-01-25 02:10:56 +00:00
|
|
|
capabilities = ["create", "read", "update", "delete", "sudo"]
|
2018-01-23 23:43:07 +00:00
|
|
|
}
|
|
|
|
|
2018-01-26 23:13:15 +00:00
|
|
|
# List existing policies
|
|
|
|
path "sys/policy"
|
|
|
|
{
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# Create and manage ACL policies
|
|
|
|
path "sys/policy/*"
|
|
|
|
{
|
2018-01-18 01:39:21 +00:00
|
|
|
capabilities = ["create", "read", "update", "delete", "list"]
|
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# List, create, update, and delete key/value secrets
|
|
|
|
path "secret/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
### <a name="step2"></a>Step 2: Create policies
|
|
|
|
|
|
|
|
Now, create `admin` and `provisioner` policies in Vault.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
#### CLI command
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
To create policies:
|
|
|
|
|
|
|
|
```shell
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault policy write <POLICY_NAME> <POLICY_FILE>
|
2018-01-23 23:43:07 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
**Example:**
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
```shell
|
2018-01-23 23:43:07 +00:00
|
|
|
# Create admin policy
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault policy write admin admin-policy.hcl
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# Create provisioner policy
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault policy write provisioner provisioner-policy.hcl
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
**NOTE:** To update an existing policy, simply re-run the same command by
|
|
|
|
passing your modified policy (`*.hcl`).
|
|
|
|
|
|
|
|
#### API call using cURL
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
To create a policy, use the `/sys/policy` endpoint:
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
```shell
|
|
|
|
$ curl --header "X-Vault-Token: <TOKEN>" \
|
|
|
|
--request PUT \
|
|
|
|
--data <PAYLOAD> \
|
|
|
|
<VAULT_ADDRESS>/v1/sys/policy/<POLICY_NAME>
|
|
|
|
```
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
|
2018-03-20 18:54:10 +00:00
|
|
|
stringified policy.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
**Example:**
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Now, create `admin` and `provisioner` policies:
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
```shell
|
2018-01-23 23:43:07 +00:00
|
|
|
# Create admin policy
|
|
|
|
$ curl --request PUT --header "X-Vault-Token: ..." --data @admin-payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/policy/admin
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
$ cat admin-payload.json
|
2018-01-18 01:39:21 +00:00
|
|
|
{
|
2018-01-23 23:43:07 +00:00
|
|
|
"policy": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", ... }"
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# Create provisioner policy
|
|
|
|
$ curl --request PUT --header "X-Vault-Token: ..." --data @provisioner-payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/policy/provisioner
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
$ cat provisioner-payload.json
|
2018-01-18 01:39:21 +00:00
|
|
|
{
|
2018-01-23 23:43:07 +00:00
|
|
|
"policy": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", ... }"
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
-> NOTE: You can also use the `/sys/policies` endpoint which is used to manage
|
2018-01-23 23:43:07 +00:00
|
|
|
ACL, RGP, and EGP policies in Vault (RGP and EGP policies are enterprise-only
|
2018-03-19 21:56:45 +00:00
|
|
|
features). To list policies, invoke the `/sys/policies/acl` endpoint.
|
2018-01-23 23:43:07 +00:00
|
|
|
|
2018-01-18 01:39:21 +00:00
|
|
|
**NOTE:** To update an existing policy, simply re-run the same command by
|
|
|
|
passing your modified policy in the request payload (`*.json`).
|
|
|
|
|
|
|
|
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
### <a name="step3"></a>Step 3: View existing policies
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Make sure that you see the policies you created in [Step 2](#step2).
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
#### CLI command
|
|
|
|
|
|
|
|
The following command lists existing policies:
|
|
|
|
|
|
|
|
```shell
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault policy list
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
To view a specific policy:
|
|
|
|
|
|
|
|
```shell
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault policy read <POLICY_NAME>
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
|
|
|
```shell
|
2018-01-23 23:43:07 +00:00
|
|
|
# Read admin policy
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault policy read admin
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
# Mount and manage auth methods broadly across Vault
|
2018-01-23 23:43:07 +00:00
|
|
|
path "auth/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
path "sys/auth/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "sudo"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
# Create and manage ACL policies broadly across Vault
|
|
|
|
path "sys/policy/*"
|
|
|
|
{
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
...
|
|
|
|
```
|
|
|
|
|
|
|
|
#### API call using cURL
|
|
|
|
|
|
|
|
To list existing ACL policies, use the `/sys/policy` endpoint.
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
```shell
|
2018-03-23 15:41:51 +00:00
|
|
|
$ curl --request LIST --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policy | jq
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
To read a specific policy, the endpoint path should be
|
|
|
|
`/sys/policy/<POLICY_NAME>`.
|
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
Read the admin policy:
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
```plaintext
|
2018-03-23 15:41:51 +00:00
|
|
|
$ curl --request GET --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policy/admin | jq
|
2018-01-18 01:39:21 +00:00
|
|
|
{
|
2018-01-23 23:43:07 +00:00
|
|
|
"name": "admin",
|
2018-03-19 21:56:45 +00:00
|
|
|
"rules": "# Mount and manage auth methods broadly across Vault\npath \"auth/*\"\n{\n ...",
|
2018-01-23 23:43:07 +00:00
|
|
|
"request_id": "e8151bf3-8136-fef9-428b-1506042350cf",
|
2018-01-18 01:39:21 +00:00
|
|
|
"lease_id": "",
|
|
|
|
"renewable": false,
|
|
|
|
"lease_duration": 0,
|
2018-01-23 23:43:07 +00:00
|
|
|
"data": {
|
2018-01-18 01:39:21 +00:00
|
|
|
...
|
|
|
|
```
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
### <a name="step4"></a>Step 4: Check capabilities of a token
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
Use the `/sys/capabilities` endpoint to fetch the capabilities of a token on a
|
|
|
|
given path. This helps to verify what operations are granted based on the
|
|
|
|
policies attached to the token.
|
|
|
|
|
|
|
|
#### CLI command
|
|
|
|
|
|
|
|
The command is:
|
|
|
|
|
|
|
|
```shell
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault token capabilities <TOKEN> <PATH>
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
First, create a token attached to `admin` policy:
|
|
|
|
|
|
|
|
```shell
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault token create -policy="admin"
|
2018-01-23 23:43:07 +00:00
|
|
|
Key Value
|
|
|
|
--- -----
|
|
|
|
token 79ecdd41-9bac-1ac7-1ee4-99fbce796221
|
|
|
|
token_accessor 39b5e8b5-7bbf-6c6d-c536-ba79d3a80dd5
|
|
|
|
token_duration 768h0m0s
|
|
|
|
token_renewable true
|
|
|
|
token_policies [admin default]
|
|
|
|
```
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
Now, fetch the capabilities of this token on the `sys/auth/approle` path.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-01-23 23:43:07 +00:00
|
|
|
```plaintext
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault token capabilities 79ecdd41-9bac-1ac7-1ee4-99fbce796221 sys/auth/approle
|
2018-01-23 23:43:07 +00:00
|
|
|
Capabilities: [create delete read sudo update]
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
The result should match the policy rule you wrote on the `sys/auth/*` path. You can
|
2018-01-23 23:43:07 +00:00
|
|
|
repeat the steps to generate a token for `provisioner` and check its
|
|
|
|
capabilities on paths.
|
|
|
|
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
In the absence of a token, it returns the capabilities of the current token invoking this
|
2018-01-18 01:39:21 +00:00
|
|
|
command.
|
|
|
|
|
|
|
|
```shell
|
2018-01-30 18:46:27 +00:00
|
|
|
$ vault token capabilities sys/auth/approle
|
2018-01-23 23:43:07 +00:00
|
|
|
Capabilities: [root]
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
#### API call using cURL
|
|
|
|
|
|
|
|
Use the `sys/capabilities` endpoint.
|
|
|
|
|
|
|
|
**Example:**
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
First, create a token attached to the `admin` policy:
|
2018-01-23 23:43:07 +00:00
|
|
|
|
|
|
|
```shell
|
|
|
|
$ curl --request POST --header "X-Vault-Token: ..." --data '{ "policies":"admin" }' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/token/create
|
2018-01-23 23:43:07 +00:00
|
|
|
{
|
|
|
|
"request_id": "870ef38c-1401-7beb-633c-ff09cca3db68",
|
|
|
|
"lease_id": "",
|
|
|
|
"renewable": false,
|
|
|
|
"lease_duration": 0,
|
|
|
|
"data": null,
|
|
|
|
"wrap_info": null,
|
|
|
|
"warnings": null,
|
|
|
|
"auth": {
|
|
|
|
"client_token": "9f3a9fbb-4e1a-87c3-9d4d-ee4d96d40af1",
|
|
|
|
"accessor": "f8a269c0-153a-c1ea-ae97-e7e964814392",
|
|
|
|
"policies": [
|
|
|
|
"root"
|
|
|
|
],
|
|
|
|
"metadata": null,
|
|
|
|
"lease_duration": 0,
|
|
|
|
"renewable": false,
|
|
|
|
"entity_id": ""
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
2018-01-18 01:39:21 +00:00
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
Now, fetch the capabilities of this token on the `sys/auth/approle` path.
|
2018-01-23 23:43:07 +00:00
|
|
|
|
|
|
|
```shell
|
|
|
|
# Request payload
|
2018-01-18 01:39:21 +00:00
|
|
|
$ cat payload.json
|
|
|
|
{
|
2018-01-23 23:43:07 +00:00
|
|
|
"token": "9f3a9fbb-4e1a-87c3-9d4d-ee4d96d40af1",
|
|
|
|
"path": "sys/auth/approle"
|
|
|
|
}
|
|
|
|
|
|
|
|
$ curl --request POST --header "X-Vault-Token: ..." --data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/capabilities
|
2018-01-23 23:43:07 +00:00
|
|
|
{
|
|
|
|
"capabilities": [
|
|
|
|
"create",
|
|
|
|
"delete",
|
|
|
|
"read",
|
|
|
|
"sudo",
|
|
|
|
"update"
|
|
|
|
],
|
|
|
|
"request_id": "03f9d5e2-7e8a-4cd3-b9e9-034c058d3d06",
|
|
|
|
"lease_id": "",
|
|
|
|
"renewable": false,
|
|
|
|
"lease_duration": 0,
|
|
|
|
"data": {
|
|
|
|
"capabilities": [
|
|
|
|
"create",
|
|
|
|
"delete",
|
|
|
|
"read",
|
|
|
|
"sudo",
|
|
|
|
"update"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
"wrap_info": null,
|
|
|
|
"warnings": null,
|
|
|
|
"auth": null
|
2018-01-18 01:39:21 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
The result should match the policy rule you wrote on the `sys/auth/*` path. You can
|
2018-01-23 23:43:07 +00:00
|
|
|
repeat the steps to generate a token for `provisioner` and check its
|
|
|
|
capabilities on paths.
|
|
|
|
|
2018-03-19 21:56:45 +00:00
|
|
|
To check the current token's capabilities permitted on a path, use
|
|
|
|
the `sys/capabilities-self` endpoint.
|
2018-01-18 01:39:21 +00:00
|
|
|
|
|
|
|
```plaintext
|
2018-01-23 23:43:07 +00:00
|
|
|
$ curl --request POST --header "X-Vault-Token: ..." --data '{"path":"sys/auth/approle"}' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/sys/capabilities-self
|
2018-01-18 01:39:21 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## Next steps
|
|
|
|
|
|
|
|
In this guide, you learned how to write policies based on given policy
|
2018-03-19 21:56:45 +00:00
|
|
|
requirements. Next, the [AppRole Pull Authentication](/guides/identity/authentication.html)
|
2018-01-18 01:39:21 +00:00
|
|
|
guide demonstrates how to associate policies to a role.
|
2018-08-06 22:39:32 +00:00
|
|
|
|
|
|
|
To learn about Sentinel policies, refer to the [Sentinel
|
2018-08-06 22:50:39 +00:00
|
|
|
Policies](/guides/identity/sentinel.html) guide.
|