luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Add instructions for both kvv1 and kvv2 to getting started policies info

This commit is contained in:
Jeff Mitchell 2018-05-22 14:07:07 -04:00
parent d88e4d5019
commit d60360ddbe
1 changed files with 49 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
website/source/intro/getting-started/policies.html.md
View File

@ -27,13 +27,23 @@ Policies are authored in [HCL][hcl], but it is JSON compatible. Here is an
example policy:
```hcl
# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
capabilities = ["create"]
}
path "secret/foo" {
capabilities = ["read"]
}
# Dev servers have version 2 of KV mounted by default, so will need these
# paths:
path "secret/data/*" {
capabilities = ["create"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
```
With this policy, a user could write any secret to `secret/`, except to
@ -69,13 +79,23 @@ Here is an example you can copy-paste in the terminal:
```text
$ vault policy write my-policy -<<EOF
# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
capabilities = ["create"]
}
path "secret/foo" {
capabilities = ["read"]
}
# Dev servers have version 2 of KV mounted by default, so will need these
# paths:
path "secret/data/*" {
capabilities = ["create"]
}
path "secret/data/foo" {
capabilities = ["read"]
}
EOF
```
@ -92,11 +112,12 @@ To view the contents of a policy, run:
```text
$ vault policy read my-policy
# Normal servers have version 1 of KV mounted by default, so will need these
# paths:
path "secret/*" {
capabilities = ["create"]
}
# ...
...
```
## Testing the Policy
@ -130,11 +151,33 @@ token_policies [default my-policy]
Verify that you can write any data to `secret/`, but only read from
`secret/foo`:
### Dev servers
```text
$ vault write secret/bar value=yes
$ vault kv put secret/bar robot=beepboop
Key Value
--- -----
created_time 2018-05-22T18:05:42.537496856Z
deletion_time n/a
destroyed false
version 1
$ vault kv put secret/foo robot=beepboop
Error writing data to secret/data/foo: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/data/foo
Code: 403. Errors:
* permission denied
```
### Non-dev servers
```text
$ vault kv put secret/bar robot=beepboop
Success! Data written to: secret/bar
$ vault write secret/foo value=yes
$ vault kv put secret/foo robot=beepboop
Error writing data to secret/foo: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/secret/foo