如何正确使用 HashiCorp Vault 策略?

How to get HashiCorp Vault policy right?

情况如下:我创建了一个用户

vault write auth/userpass/users/'username' password='password' policies=default

使用默认策略添加路径

"secret/db_pass/*" {
  capabilities = ["create","read","delete","update","list"]
} 

默认策略中。但是当我尝试访问 secret/ 时,我 收到错误 'You don't have access to secret/, 尽管我已经在策略文件中添加了权限。

我是不是做错了什么?一些温柔的灵魂可以帮忙吗?如果需要任何其他信息,请告诉我。

不确定,但似乎政策结构已更改。为了访问 "secret/db_pass/",您应该有权访问 secret/ 本身。因此,我通过 2 项政策实现了这一目标。一个用于访问 secret/,另一个用于 secret/db_pass/.

path "secret/" {
  capabilities = ["list"]
}

path "secret/db_pass/*" 
    { capabilities = ["create","read","delete","update","list"] 
} 

在 KV v2 中,您需要在第二个策略的 secret/ 之后添加 data/

您还需要在第一个策略的 secret/ 之后添加 *

所以 Ashit 的解决方案是:

path "secret/*" {
capabilities = ["list"]
}

path "secret/data/db_pass/*" 
{ 
 capabilities = ["create","read","delete","update","list"] 
}