open-vault/website/source/guides/identity/policies.html.md

660 lines
18 KiB
Markdown
Raw Normal View History

2018-01-18 01:39:21 +00:00
---
layout: "guides"
page_title: "Policies - Guides"
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Policies"
sidebar_current: "guides-identity-policies"
2018-01-18 01:39:21 +00:00
description: |-
Policies in Vault control what a user can access.
---
# Policies
In Vault, we use policies to govern the behavior of clients and instrument
2018-01-24 19:47:31 +00:00
Role-Based Access Control (RBAC) by specifying access privileges
(_authorization_).
2018-01-18 01:39:21 +00:00
When you first initialize Vault, the
[**`root`**](/docs/concepts/policies.html#root-policy) policy gets created by
default. The `root` policy is a special policy that gives superuser access to
_everything_ in Vault. This allows the superuser to set up initial policies,
tokens, etc.
In addition, another built-in policy,
[**`default`**](/docs/concepts/policies.html#default-policy), is created. The
2018-01-18 01:39:21 +00:00
`default` policy is attached to all tokens and provides common permissions.
2018-02-01 17:50:59 +00:00
Everything in Vault is path based, and admins write policies to grant or forbid
access to certain paths and operations in Vault. Vault operates on a **secure by
default** standard, and as such, an empty policy grants **no permissions** in the
system.
2018-01-18 01:39:21 +00:00
### HashiCorp Configuration Language (HCL)
Policies written in [HCL](https://github.com/hashicorp/hcl) format are often
2018-01-24 19:47:31 +00:00
referred as **_ACL Policies_**. [Sentinel](https://www.hashicorp.com/sentinel) is
2018-01-18 01:39:21 +00:00
another framework for policy which is available in [Vault
Enterprise](/docs/enterprise/index.html). Since Sentinel is an enterprise-only
2018-02-01 17:50:59 +00:00
feature, this guide focuses on writing ACL policies as a foundation.
2018-01-18 01:39:21 +00:00
**NOTE:** HCL is JSON compatible; therefore, JSON can be used as completely
valid input.
## Reference Material
- [Policies](/docs/concepts/policies.html#default-policy) documentation
- [Policy API](/api/system/policy.html) documentation
- [Getting Started guide](/intro/getting-started/policies.html) on policies
~> **NOTE:** An [interactive
tutorial](https://www.katacoda.com/hashicorp/scenarios/vault-policies) is
also available if you do not have a Vault environment to perform the steps
described in this guide.
2018-01-18 01:39:21 +00:00
## Estimated Time to Complete
10 minutes
2018-01-23 23:43:07 +00:00
## Personas
The scenario described in this guide introduces the following personas:
- **`root`** sets up initial policies for `admin`
- **`admin`** is empowered with managing a Vault infrastructure for a team or
organizations
- **`provisioner`** configures secret engines and creates policies for
2018-01-23 23:43:07 +00:00
client apps
2018-01-18 01:39:21 +00:00
## Challenge
Since Vault centrally secures, stores, and controls access to secrets across
2018-01-23 23:43:07 +00:00
distributed infrastructure and applications, it is critical to control
permissions before any user or machine can gain access.
2018-01-18 01:39:21 +00:00
## Solution
Restrict the use of root policy, and write fine-grained policies to practice
**least privileged**. For example, if an app gets AWS credentials from Vault,
write policy grants to `read` from AWS secret engine but not to `delete`, etc.
2018-01-18 01:39:21 +00:00
Policies are attached to tokens and roles to enforce client permissions on
Vault.
## Prerequisites
To perform the tasks described in this guide, you need to have a Vault
environment. Refer to the [Getting
2018-01-23 23:43:07 +00:00
Started](/intro/getting-started/install.html) guide to install Vault. Make sure
that your Vault server has been [initialized and
2018-01-18 01:39:21 +00:00
unsealed](/intro/getting-started/deploy.html).
### Policy requirements
2018-01-23 23:43:07 +00:00
Since this guide demonstrates the creation of an **`admin`** policy, log in with
**`root`** token if possible. Otherwise, make sure that you have the following
permissions:
```shell
# Manage auth methods broadly across Vault
2018-01-25 02:10:56 +00:00
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
2018-01-25 02:10:56 +00:00
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
2018-01-25 02:10:56 +00:00
}
# List auth methods
path "sys/auth"
2018-01-25 02:10:56 +00:00
{
capabilities = ["read"]
}
# Create and manage ACL policies via CLI
2018-01-23 23:43:07 +00:00
path "sys/policy/*"
{
2018-01-25 02:10:56 +00:00
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-23 23:43:07 +00:00
}
# Create and manage ACL policies via API
path "sys/policies/acl/*"
2018-01-23 23:43:07 +00:00
{
2018-01-25 02:10:56 +00:00
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# To list policies - Step 3
path "sys/policy"
2018-01-25 02:10:56 +00:00
{
capabilities = ["read"]
2018-01-23 23:43:07 +00:00
}
# To perform Step 4
path "sys/capabilities"
{
capabilities = ["create", "update"]
}
# To perform Step 4
path "sys/capabilities-self"
{
capabilities = ["create", "update"]
}
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Manage secret engines broadly across Vault
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secret engines
path "sys/mounts"
{
capabilities = ["read"]
}
# Read health checks
path "sys/health"
{
capabilities = ["read", "sudo"]
}
2018-01-23 23:43:07 +00:00
```
2018-01-18 01:39:21 +00:00
## Steps
2018-01-23 23:43:07 +00:00
The basic workflow of creating policies is:
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
![Policy Creation Workflow](/img/vault-policy-authoring-workflow.png)
2018-01-23 23:43:07 +00:00
2018-01-18 01:39:21 +00:00
This guide demonstrates basic policy authoring and management tasks.
2018-01-23 23:43:07 +00:00
1. [Write ACL policies in HCL format](#step1)
1. [Create policies](#step2)
1. [View existing policies](#step3)
1. [Check capabilities of a token](#step4)
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
### <a name="step1"></a>Step 1: Write ACL policies in HCL format
2018-01-18 01:39:21 +00:00
2018-05-16 00:43:35 +00:00
Remember, an empty policy grants **no permission** in the system. Therefore, ACL
2018-01-23 23:43:07 +00:00
policies are defined for each path.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```shell
path "<PATH>" {
2018-01-18 01:39:21 +00:00
capabilities = [ "<LIST_OF_CAPABILITIES>" ]
}
```
-> The path can have a wildcard ("`*`") at the end to allow for
2018-01-18 01:39:21 +00:00
namespacing. For example, "`secret/training_*`" grants permissions on any
path starting with "`secret/training_`" (e.g. `secret/training_vault`).
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
Define one or more [capabilities](/docs/concepts/policies.html#capabilities) on each path to control operations that are
2018-01-18 01:39:21 +00:00
permitted.
| Capability | Associated HTTP verbs |
| --------------- |------------------------|
| create | POST/PUT |
| read | GET |
| update | POST/PUT |
| delete | DELETE |
| list | LIST
#### Policy requirements
The first step in creating policies is to **gather policy requirements**.
2018-01-23 23:43:07 +00:00
**Example:**
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
**`admin`** is a type of user empowered with managing a Vault infrastructure for
a team or organizations. Empowered with sudo, the Administrator is focused on
configuring and maintaining the health of Vault cluster(s) as well as
providing bespoke support to Vault users.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
`admin` must be able to:
2018-01-18 01:39:21 +00:00
- Enable and manage auth methods broadly across Vault
- Manage the key/value secret engines at `secret/` path
2018-01-23 23:43:07 +00:00
- Create and manage ACL policies broadly across Vault
- Read system health check
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
**`provisioner`** is a type of user or service that will be used by an automated
tool (e.g. Terraform) to provision and configure a namespace within a Vault
secret engine for a new Vault user to access and write secrets.
2018-01-23 23:43:07 +00:00
`provisioner` must be able to:
- Enable and manage auth methods
- Manage the key/value secret engines at `secret/` path
2018-01-23 23:43:07 +00:00
- Create and manage ACL policies
2018-01-18 01:39:21 +00:00
Now, you are ready to author policies to fulfill these requirements.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
#### Example policy for admin
`admin-policy.hcl`
2018-01-18 01:39:21 +00:00
```shell
# Manage auth methods broadly across Vault
2018-01-23 23:43:07 +00:00
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create, update, and delete auth methods
2018-01-23 23:43:07 +00:00
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
2018-01-23 23:43:07 +00:00
}
# List existing policies via CLI
2018-01-25 02:10:56 +00:00
path "sys/policy"
{
capabilities = ["read"]
}
# Create and manage ACL policies via CLI
2018-01-23 23:43:07 +00:00
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
# Create and manage ACL policies via API
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
2018-01-23 23:43:07 +00:00
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
# Manage secret engines broadly across Vault
2018-01-23 23:43:07 +00:00
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List existing secret engines
path "sys/mounts"
{
capabilities = ["read"]
}
2018-01-23 23:43:07 +00:00
# Read health checks
path "sys/health"
{
capabilities = ["read", "sudo"]
2018-01-18 01:39:21 +00:00
}
```
2018-01-23 23:43:07 +00:00
#### Example policy for provisioner
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
`provisioner-policy.hcl`
2018-01-18 01:39:21 +00:00
```shell
# Manage auth methods broadly across Vault
2018-01-23 23:43:07 +00:00
path "auth/*"
{
2018-01-25 02:10:56 +00:00
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
# Create, update, and delete auth methods
2018-01-23 23:43:07 +00:00
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
# List auth methods
path "sys/auth"
{
capabilities = ["read"]
2018-01-23 23:43:07 +00:00
}
# List existing policies via CLI
path "sys/policy"
{
capabilities = ["read"]
}
# Create and manage ACL policies via CLI
2018-01-23 23:43:07 +00:00
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# Create and manage ACL policies via API
path "sys/policies/acl/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
2018-01-23 23:43:07 +00:00
# List, create, update, and delete key/value secrets
path "secret/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
2018-01-18 01:39:21 +00:00
}
```
2018-01-23 23:43:07 +00:00
### <a name="step2"></a>Step 2: Create policies
Now, create `admin` and `provisioner` policies in Vault.
2018-01-18 01:39:21 +00:00
#### CLI command
2018-01-23 23:43:07 +00:00
To create policies:
```shell
$ vault policy write <POLICY_NAME> <POLICY_FILE>
2018-01-23 23:43:07 +00:00
```
**Example:**
2018-01-18 01:39:21 +00:00
```shell
2018-01-23 23:43:07 +00:00
# Create admin policy
$ vault policy write admin admin-policy.hcl
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
# Create provisioner policy
$ vault policy write provisioner provisioner-policy.hcl
2018-01-18 01:39:21 +00:00
```
**NOTE:** To update an existing policy, simply re-run the same command by
passing your modified policy (`*.hcl`).
#### API call using cURL
To create a policy, use the
[`sys/policies/acl`](/api/system/policies.html#create-update-acl-policy)
endpoint:
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```shell
$ curl --header "X-Vault-Token: <TOKEN>" \
--request PUT \
--data <PAYLOAD> \
<VAULT_ADDRESS>/v1/sys/policies/acl/<POLICY_NAME>
2018-01-23 23:43:07 +00:00
```
2018-01-18 01:39:21 +00:00
Where `<TOKEN>` is your valid token, and `<PAYLOAD>` includes the policy name and
2018-03-20 18:54:10 +00:00
stringified policy.
2018-01-18 01:39:21 +00:00
-> **NOTE:** To create ACL policies, you can use the
[`sys/policy`](/api/system/policy.html) endpoint as well.
2018-01-18 01:39:21 +00:00
**Example:**
2018-01-18 01:39:21 +00:00
```shell
# Create the API request payload. Use stringified policy expression.
$ tee admin-payload.json <<EOF
2018-01-18 01:39:21 +00:00
{
"policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete auth methods\npath \"sys/auth/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"sudo\"]\n}\n\n# List auth methods\npath \"sys/auth\"\n{\n capabilities = [\"read\"]\n}\n\n# List existing policies\npath \"sys/policies\"\n{\n capabilities = [\"read\"]\n}\n\n# Create and manage ACL policies broadly across Vault\npath \"sys/policies/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete key/value secrets\npath \"secret/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# Manage and manage secret engines broadly across Vault.\npath \"sys/mounts/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List existing secret engines.\npath \"sys/mounts\"\n{\n capabilities = [\"read\"]\n}\n\n# Read health checks\npath \"sys/health\"\n{\n capabilities = [\"read\", \"sudo\"]\n}"
2018-01-18 01:39:21 +00:00
}
EOF
2018-01-18 01:39:21 +00:00
# Create admin policy
$ curl --header "X-Vault-Token: ..." \
--request PUT \
--data @admin-payload.json \
http://127.0.0.1:8200/v1/sys/policies/acl/admin
2018-01-18 01:39:21 +00:00
# Create the API requset payload for creating provisioner policy
$ tee provisioner-payload.json <<EOF
2018-01-18 01:39:21 +00:00
{
"policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]\n}\n\n# List, create, update, and delete auth methods\npath \"sys/auth/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"sudo\"]\n}\n\n# List existing policies\npath \"sys/policy\"\n{\n capabilities = [\"read\"]\n}\n\n# Create and manage ACL policies\npath \"sys/policy/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}\n\n# List, create, update, and delete key/value secrets\npath \"secret/*\"\n{\n capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n}"
2018-01-18 01:39:21 +00:00
}
EOF
2018-01-18 01:39:21 +00:00
# Create provisioner policy
$ curl --header "X-Vault-Token: ..." \
--request PUT \
--data @provisioner-payload.json \
http://127.0.0.1:8200/v1/sys/policies/acl/provisioner
```
2018-01-23 23:43:07 +00:00
2018-01-18 01:39:21 +00:00
**NOTE:** To update an existing policy, simply re-run the same command by
passing your modified policy in the request payload (`*.json`).
2018-01-23 23:43:07 +00:00
### <a name="step3"></a>Step 3: View existing policies
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
Make sure that you see the policies you created in [Step 2](#step2).
2018-01-18 01:39:21 +00:00
#### CLI command
The following command lists existing policies:
```shell
$ vault policy list
2018-01-18 01:39:21 +00:00
```
To view a specific policy:
```shell
$ vault policy read <POLICY_NAME>
2018-01-18 01:39:21 +00:00
```
**Example:**
```shell
2018-01-23 23:43:07 +00:00
# Read admin policy
$ vault policy read admin
# Mount and manage auth methods broadly across Vault
2018-01-23 23:43:07 +00:00
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
2018-01-23 23:43:07 +00:00
path "sys/auth/*"
{
capabilities = ["create", "read", "update", "delete", "sudo"]
2018-01-18 01:39:21 +00:00
}
2018-01-23 23:43:07 +00:00
# Create and manage ACL policies broadly across Vault
path "sys/policy/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
2018-01-18 01:39:21 +00:00
}
...
```
#### API call using cURL
To list existing ACL policies, use the `sys/policies/acl` endpoint.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```shell
$ curl --request LIST --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policies/acl | jq
2018-01-18 01:39:21 +00:00
```
To read a specific policy, the endpoint path should be
`sys/policies/acl/<POLICY_NAME>`.
2018-01-18 01:39:21 +00:00
-> **NOTE:** To read existing ACL policies, you can use the `sys/policy`
endpoint as well.
2018-01-18 01:39:21 +00:00
**Example:**
2018-01-18 01:39:21 +00:00
```shell
# Read the admin policy
$ curl --header "X-Vault-Token: ..." http://127.0.0.1:8200/v1/sys/policies/acl/admin | jq
2018-01-18 01:39:21 +00:00
{
"request_id": "3f826e5c-70a0-2998-8082-fe34c67c59d1",
2018-01-18 01:39:21 +00:00
"lease_id": "",
"renewable": false,
"lease_duration": 0,
2018-01-23 23:43:07 +00:00
"data": {
"name": "admin",
"policy": "# Manage auth methods broadly across Vault\npath \"auth/*\"\n{\n capabilities = [\"create\", \"read\" ...
},
"wrap_info": null,
"warnings": null,
"auth": null
}
2018-01-18 01:39:21 +00:00
```
2018-01-23 23:43:07 +00:00
### <a name="step4"></a>Step 4: Check capabilities of a token
2018-01-18 01:39:21 +00:00
This step shows how to print out the permitted capabilities of a token on a
path. This can help verifying what operations are granted based on the policies
attached to the token.
2018-01-18 01:39:21 +00:00
#### CLI command
The command is:
```shell
$ vault token capabilities <TOKEN> <PATH>
2018-01-18 01:39:21 +00:00
```
**Example:**
First, create a token attached to `admin` policy.
2018-01-23 23:43:07 +00:00
```shell
$ vault token create -policy="admin"
Key Value
--- -----
token 2sHGlAHNj36LpqQ2Zevl2Owi
token_accessor 4G4UIsQOMwifg7vMLqf6QIc3
token_duration 768h
token_renewable true
token_policies ["admin" "default"]
identity_policies []
policies ["admin" "default"]
2018-01-23 23:43:07 +00:00
```
Now, fetch the capabilities of this token on the `sys/auth/approle` path.
2018-01-18 01:39:21 +00:00
2018-01-23 23:43:07 +00:00
```plaintext
$ vault token capabilities 2sHGlAHNj36LpqQ2Zevl2Owi sys/auth/approle
create, delete, read, sudo, update
2018-01-18 01:39:21 +00:00
```
The result should match the policy rule you wrote on the `sys/auth/*` path. You
can repeat the steps to generate a token for `provisioner` and check its
2018-01-23 23:43:07 +00:00
capabilities on paths.
In the absence of a token, it returns the capabilities of the current token
invoking this command.
2018-01-18 01:39:21 +00:00
```shell
$ vault token capabilities sys/auth/approle
root
2018-01-18 01:39:21 +00:00
```
#### API call using cURL
Use the `sys/capabilities` endpoint.
**Example:**
First, create a token attached to the `admin` policy:
2018-01-23 23:43:07 +00:00
```shell
$ curl --request POST --header "X-Vault-Token: ..." --data '{ "policies":"admin" }' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/create
2018-01-23 23:43:07 +00:00
{
"request_id": "bd9b3216-f7e6-610c-4861-38b9112a1821",
"lease_id": "",
2018-01-23 23:43:07 +00:00
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "3xlduc1vGMD7vKeGLyONAxdS",
"accessor": "FOoNv0YJSCqtPVCpW03qVeKd",
"policies": [
"admin",
"default"
],
"token_policies": [
"admin",
"default"
],
"metadata": null,
"lease_duration": 2764800,
"renewable": true,
"entity_id": ""
}
2018-01-23 23:43:07 +00:00
}
```
2018-01-18 01:39:21 +00:00
Now, fetch the capabilities of this token on the `sys/auth/approle` path.
2018-01-23 23:43:07 +00:00
```shell
# Request payload
$ tee payload.json <<EOF
2018-01-18 01:39:21 +00:00
{
"token": "3xlduc1vGMD7vKeGLyONAxdS",
2018-01-23 23:43:07 +00:00
"path": "sys/auth/approle"
}
EOF
2018-01-23 23:43:07 +00:00
$ curl --request POST --header "X-Vault-Token: ..." \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/capabilities | jq
2018-01-23 23:43:07 +00:00
{
"sys/auth/approle": [
"create",
"delete",
"read",
"sudo",
"update"
],
2018-01-23 23:43:07 +00:00
"capabilities": [
"create",
"delete",
"read",
"sudo",
"update"
],
...
2018-01-18 01:39:21 +00:00
}
```
The result should match the policy rule you wrote on the `sys/auth/*` path. You can
2018-01-23 23:43:07 +00:00
repeat the steps to generate a token for `provisioner` and check its
capabilities on paths.
To check the current token's capabilities permitted on a path, use
the `sys/capabilities-self` endpoint.
2018-01-18 01:39:21 +00:00
```plaintext
$ curl --request POST --header "X-Vault-Token: ..." \
--data '{"path":"sys/auth/approle"}' \
http://127.0.0.1:8200/v1/sys/capabilities-self
2018-01-18 01:39:21 +00:00
```
## Next steps
In this guide, you learned how to write policies based on given policy
requirements. Next, the [AppRole Pull Authentication](/guides/identity/authentication.html)
2018-01-18 01:39:21 +00:00
guide demonstrates how to associate policies to a role.
To learn about Sentinel policies, refer to the [Sentinel
2018-08-06 22:50:39 +00:00
Policies](/guides/identity/sentinel.html) guide.