Vault approle auth 强制默认策略
Vault approle auth forces default policy
使用 Approle Auth 方法创建角色时,我会告诉 Vault 根据测试策略创建生成的令牌
vault write auth/approle/role/test \
bind_secret_id=true \
secret_id_num_uses=0 \
token_num_uses=100 \
token_ttl=10m \
token_max_ttl=10m \
policies=test
我得到了 roleid 和 secretid:
保险库读取 auth/approle/role/test/role-id
保险库写入-f auth/approle/role/test/secret-id
并用它来生成令牌:
vault write auth/approle/login \
role_id=a36f3615-9532-983a-991b-f5f4bff9723a \
secret_id=d74458b0-b076-12c6-fc5d-d5f92273ef9d
我得到一个生成的令牌,现在检查生成的令牌:
vault token lookup ddfe8514-4a9a-c14b-9179-576db031a137
Key Value
--- -----
accessor b8aecbf5-e0d1-d016-1c02-3e1a1fd5098a
creation_time 1532330714
creation_ttl 600
display_name approle
entity_id bcd8a77a-85df-8224-e5ff-9390cae15e25
expire_time 2018-07-23T09:35:14.579632638+02:00
explicit_max_ttl 0
id ddfe8514-4a9a-c14b-9179-576db031a137
issue_time 2018-07-23T09:25:14.579632516+02:00
meta map[role_name:test]
num_uses 100
orphan true
path auth/approle/login
policies [default test]
renewable true
ttl 580
就是这样!默认策略...
Approle 没有关于如何跳过默认策略的文档。有人遇到同样的问题吗?
如 official documentation 中所述:
The default policy is a builtin Vault policy that cannot be removed.
By default, it is attached to all tokens, but may be explicitly
excluded at token creation time by supporting authentication methods.
编辑
根据 this post, it's not actually possible to remove the default policy from AppRole. As you said, this could be a feature to be requested 的未来版本。
使用 Approle Auth 方法创建角色时,我会告诉 Vault 根据测试策略创建生成的令牌
vault write auth/approle/role/test \
bind_secret_id=true \
secret_id_num_uses=0 \
token_num_uses=100 \
token_ttl=10m \
token_max_ttl=10m \
policies=test
我得到了 roleid 和 secretid: 保险库读取 auth/approle/role/test/role-id 保险库写入-f auth/approle/role/test/secret-id 并用它来生成令牌:
vault write auth/approle/login \
role_id=a36f3615-9532-983a-991b-f5f4bff9723a \
secret_id=d74458b0-b076-12c6-fc5d-d5f92273ef9d
我得到一个生成的令牌,现在检查生成的令牌:
vault token lookup ddfe8514-4a9a-c14b-9179-576db031a137
Key Value
--- -----
accessor b8aecbf5-e0d1-d016-1c02-3e1a1fd5098a
creation_time 1532330714
creation_ttl 600
display_name approle
entity_id bcd8a77a-85df-8224-e5ff-9390cae15e25
expire_time 2018-07-23T09:35:14.579632638+02:00
explicit_max_ttl 0
id ddfe8514-4a9a-c14b-9179-576db031a137
issue_time 2018-07-23T09:25:14.579632516+02:00
meta map[role_name:test]
num_uses 100
orphan true
path auth/approle/login
policies [default test]
renewable true
ttl 580
就是这样!默认策略... Approle 没有关于如何跳过默认策略的文档。有人遇到同样的问题吗?
如 official documentation 中所述:
The default policy is a builtin Vault policy that cannot be removed. By default, it is attached to all tokens, but may be explicitly excluded at token creation time by supporting authentication methods.
编辑
根据 this post, it's not actually possible to remove the default policy from AppRole. As you said, this could be a feature to be requested 的未来版本。