具有已分配策略的用户无法访问机密
User with assigned policy can't access secrets
我创建了一个 kv(版本 2)秘密引擎,安装在 /secret:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_915b3383 per-token private secret storage
identity/ identity identity_9736df92 identity store
secret/ kv kv_8ba16621 n/a
sys/ system system_357a0e34 system endpoints used for control, policy and debugging
我已经制定了一项政策,该政策应该允许管理员访问 myproject:
中的所有内容
$ vault policy read myproject
path "secret/myproject/*" {
capabilities = ["create","read","update","delete","list"]
}
我已经在适当的路径中创建了一个秘密(使用根令牌):
$ vault kv put secret/myproject/entry1 pass=pass
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
我创建了一个分配给定策略的用户:
$ vault token lookup
Key Value
--- -----
accessor CBnMF4i2cgadYoMNAX1YHaX6
creation_time 1652281774
creation_ttl 168h
display_name userpass-myproject
entity_id ad07640c-9440-c4a1-b668-ab0b8d07fe93
expire_time 2022-05-18T15:09:34.799969629Z
explicit_max_ttl 0s
id s.FO7PrOBdvC3KB85N46E05msi
issue_time 2022-05-11T15:09:34.799982017Z
meta map[username:myproject]
num_uses 0
orphan true
path auth/userpass/login/myproject
policies [default myproject]
renewable true
ttl 167h53m36s
type service
但是,当我尝试访问任何内容(列表、获取)时,出现 403 错误:
$ vault kv list secret/myproject
Error listing secret/metadata/myproject: Error making API request.
URL: GET https://example.vault/v1/secret/metadata/myproject?list=true
Code: 403. Errors:
* 1 error occurred:
* permission denied
$ vault kv get secret/myproject/entry1
Error reading secret/data/myproject/entry1: Error making API request.
URL: GET https://vault.private.gsd.sparkers.io/v1/secret/data/myproject/entry1
Code: 403. Errors:
* 1 error occurred:
* permission denied
当我将策略更改为此(将路径更改为 secret/*)时,我可以访问所有内容:
$ vault policy read myproject
path "secret/*" {
capabilities = ["create","read","update","delete","list"]
}
$ vault kv get secret/myproject/entry1
====== Metadata ======
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
pass pass
我做错了什么?
原来你需要这样定义你的策略:
path "secret/metadata/myproject/*" {
capabilities = ["list"]
}
path "secret/data/myproject/*" {
capabilities = ["create","read","update","delete"]
}
因为对于引擎 v2,kv list 将 metadata 添加到您的路径中,而 kv get 将 data 添加到您的路径中。
不知道我怎么错过了这里的文档:https://www.vaultproject.io/docs/secrets/kv/kv-v2:
Writing and reading versions are prefixed with the data/ path.
谢谢@Matt Schuchard
我创建了一个 kv(版本 2)秘密引擎,安装在 /secret:
$ vault secrets list
Path Type Accessor Description
---- ---- -------- -----------
cubbyhole/ cubbyhole cubbyhole_915b3383 per-token private secret storage
identity/ identity identity_9736df92 identity store
secret/ kv kv_8ba16621 n/a
sys/ system system_357a0e34 system endpoints used for control, policy and debugging
我已经制定了一项政策,该政策应该允许管理员访问 myproject:
$ vault policy read myproject
path "secret/myproject/*" {
capabilities = ["create","read","update","delete","list"]
}
我已经在适当的路径中创建了一个秘密(使用根令牌):
$ vault kv put secret/myproject/entry1 pass=pass
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
我创建了一个分配给定策略的用户:
$ vault token lookup
Key Value
--- -----
accessor CBnMF4i2cgadYoMNAX1YHaX6
creation_time 1652281774
creation_ttl 168h
display_name userpass-myproject
entity_id ad07640c-9440-c4a1-b668-ab0b8d07fe93
expire_time 2022-05-18T15:09:34.799969629Z
explicit_max_ttl 0s
id s.FO7PrOBdvC3KB85N46E05msi
issue_time 2022-05-11T15:09:34.799982017Z
meta map[username:myproject]
num_uses 0
orphan true
path auth/userpass/login/myproject
policies [default myproject]
renewable true
ttl 167h53m36s
type service
但是,当我尝试访问任何内容(列表、获取)时,出现 403 错误:
$ vault kv list secret/myproject
Error listing secret/metadata/myproject: Error making API request.
URL: GET https://example.vault/v1/secret/metadata/myproject?list=true
Code: 403. Errors:
* 1 error occurred:
* permission denied
$ vault kv get secret/myproject/entry1
Error reading secret/data/myproject/entry1: Error making API request.
URL: GET https://vault.private.gsd.sparkers.io/v1/secret/data/myproject/entry1
Code: 403. Errors:
* 1 error occurred:
* permission denied
当我将策略更改为此(将路径更改为 secret/*)时,我可以访问所有内容:
$ vault policy read myproject
path "secret/*" {
capabilities = ["create","read","update","delete","list"]
}
$ vault kv get secret/myproject/entry1
====== Metadata ======
Key Value
--- -----
created_time 2022-05-11T15:06:49.658185443Z
deletion_time n/a
destroyed false
version 1
==== Data ====
Key Value
--- -----
pass pass
我做错了什么?
原来你需要这样定义你的策略:
path "secret/metadata/myproject/*" {
capabilities = ["list"]
}
path "secret/data/myproject/*" {
capabilities = ["create","read","update","delete"]
}
因为对于引擎 v2,kv list 将 metadata 添加到您的路径中,而 kv get 将 data 添加到您的路径中。
不知道我怎么错过了这里的文档:https://www.vaultproject.io/docs/secrets/kv/kv-v2:
Writing and reading versions are prefixed with the data/ path.
谢谢@Matt Schuchard