英文:
Hashicorp Vault permission with no response
问题
我已创建一个kv(版本2)保密引擎,挂载在/secret上:
/ $ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
secret/ kv kv_dba4200e n/a
我创建了一个策略,应该允许管理员访问dev/team-1中的所有内容:
/ $ vault policy read dev
path "secret/data/dev/team-1/*" {
capabilities = ["create", "update", "read","list"]
}
path "secret/metadata/dev/team-1/*" {
capabilities = ["list","read"]
}
我创建了一个秘密:
/ $ vault kv get secret/dev/team-1
===== Secret Path =====
secret/data/dev/team-1
======= Metadata =======
Key Value
--- -----
created_time 2023-05-13T00:09:15.416686671Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
key teste
而且我还创建了一个用户,并分配了给定的策略:
/ $ vault token lookup
Key Value
--- -----
accessor UYB46guPahXROwvvFpRJ3in7
creation_time 1683931479
creation_ttl 768h
display_name token
entity_id n/a
expire_time 2023-06-13T22:44:39.062580257Z
explicit_max_ttl 0s
id hvs.CAESIDoYx7LfFWXh9p3KJ_CqyDQSQgQvPONeXpU4jcek-bt5Gh4KHGh2cy4zTjZUbGRKeUY3MkpweW52aDVWV0RvS3A
issue_time 2023-05-12T22:44:39.062596882Z
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default dev]
renewable true
ttl 766h11m17s
type service
然而,当我尝试使用附加到dev策略的这个新用户访问任何内容(列表、获取)时,我得到了以下信息:
/ $ vault kv list secret/dev/team-1
No value found at secret/metadata/dev/team-1
/ $ vault kv get secret/dev/team-1/key
No value found at secret/data/dev/team-1/key
如果有任何指导,我将非常感激。我已经花了几天的时间尝试找出我做错了什么。
英文:
I have created a kv (version 2) secrets engine, mounted on /secret:
/ $ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
secret/ kv kv_dba4200e n/a
I have created a policy that should give admin access to everything in dev/team-1
/ $ vault policy read dev
path "secret/data/dev/team-1/*" {
capabilities = ["create", "update", "read","list"]
}
path "secret/metadata/dev/team-1/*" {
capabilities = ["list","read"]
}
I have created a secret
/ $ vault kv get secret/dev/team-1
===== Secret Path =====
secret/data/dev/team-1
======= Metadata =======
Key Value
--- -----
created_time 2023-05-13T00:09:15.416686671Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
=== Data ===
Key Value
--- -----
key teste
and also I have created a user that has been assigned the given policy:
/ $ vault token lookup
Key Value
--- -----
accessor UYB46guPahXROwvvFpRJ3in7
creation_time 1683931479
creation_ttl 768h
display_name token
entity_id n/a
expire_time 2023-06-13T22:44:39.062580257Z
explicit_max_ttl 0s
id hvs.CAESIDoYx7LfFWXh9p3KJ_CqyDQSQgQvPONeXpU4jcek-bt5Gh4KHGh2cy4zTjZUbGRKeUY3MkpweW52aDVWV0RvS3A
issue_time 2023-05-12T22:44:39.062596882Z
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default dev]
renewable true
ttl 766h11m17s
type service
However when I try to access anything with this new user attached to the dev policy (list,get), I get this:
/ $ vault kv list secret/dev/team-1
No value found at secret/metadata/dev/team-1
/ $ vault kv get secret/dev/team-1/key
No value found at secret/data/dev/team-1/key
I would really appreciate if anyone could help with any guidance, I have spent a couple of days trying to figure out what I'm doing wrong
答案1
得分: 1
Your KVv2 engine secret is located at path secret/dev/team-1, but the policy grants permissions to secrets at a nested path. The permissions need to be for the desired path, and not a nested path:
path "secret/data/dev/team-1" {
capabilities = ["create", "update", "read","list"]
}
path "secret/metadata/dev/team-1" {
capabilities = ["list","read"]
}
Also note this policy would not really grant admin access as it is missing other permissions such as sudo, but the only one really necessary here would be read.
英文:
Your KVv2 engine secret is located at path secret/dev/team-1, but the policy grants permissions to secrets at a nested path. The permissions need to be for the desired path, and not a nested path:
path "secret/data/dev/team-1" {
capabilities = ["create", "update", "read","list"]
}
path "secret/metadata/dev/team-1" {
capabilities = ["list","read"]
}
Also note this policy would not really grant admin access as it is missing other permissions such as sudo, but the only one really necessary here would be read.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论