Unable to write into vault even with admin policy with create/update access

577 views
Skip to first unread message

Tw3rp

unread,
Jul 30, 2018, 2:42:27 PM7/30/18
to Vault
What I do? 

I try doing vault login with ldap and I get logged in with the tokens and policies

$ vault login -method=ldap username=<username>


Key                    Value
---                    -----
token                  <token>
token_accessor         <token_accessor>
token_duration         768h
token_renewable        true
token_policies         [admin default read-only]
token_meta_username    <username>


The following is the the policy description

$ vault policy read admin

...
# enable secret permissions
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "sudo", "list"]
}
# no denys in the policy
....

$ vault policy read read-only
...
path "secret/*" { policy = "read" }
# No denys in the policy either
...

When I try to write a secret I get

$ vault write secret/v1/sadasdasd value='<random stuff>'

I get 
Error writing data to secret/v1/sadasdasd: Error making API request.

URL: PUT https://<url>/secret/v1/sadasdasd
Code: 403. Errors:

* permission denied

What I expect? 

The write should work

Workaround

This works when I create a token with only admin policy and write to that path. But does not solve the ldap issue.

If anyone has any info its very much appreciated! Thanks!

Jeff Mitchell

unread,
Jul 30, 2018, 3:52:46 PM7/30/18
to Vault
Hi,

Can you list the full contents of the policies?

Thanks,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/48db8c2e-23d1-4962-8f38-f3775e2be652%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Tw3rp

unread,
Jul 30, 2018, 4:38:23 PM7/30/18
to Vault
Hi Jeff, 

Ofcourse! it is 

for policy read-only it is 

path "secret/*" { policy = "read" }


for policy admin it is 

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List, create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "read", "update", "delete", "sudo"]
}

# enable audit permissions
path "sys/audit/*"
{
  capabilities = ["create", "read", "update", "delete", "sudo", "list"]
}

# enable secret permissions
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "sudo", "list"]
}

# read auth methods
path "sys/audit" {
  capabilities = ["list", "read", "sudo"]
}

# enable stepdown permissions for stepping down a leader
path "sys/step-down/*"
{
  capabilities = ["create", "read", "update", "delete", "sudo", "list"]
}

# list step down permission
path "sys/step-down" {
  capabilities = ["create", "update", "list", "read", "sudo"]
}

# read auth methods
path "sys/auth" {
  capabilities = ["read"]
}

path "auth/token/create" {
  capabilities = ["create", "read", "update", "list"]
}

# List existing policies
path "sys/policy"
{
  capabilities = ["read"]
}

# Create and manage ACL policies broadly across Vault
path "sys/policy/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage and manage secret engines broadly across Vault.
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Read health checks
path "sys/health"
{
  capabilities = ["read", "sudo"]
}

Thanks,

Jeff Mitchell

unread,
Jul 30, 2018, 4:41:09 PM7/30/18
to Vault
What about the read-only policy?

Best,
Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/beca49c4-ccee-41cb-bc4a-4b444c7c8d1e%40googlegroups.com.

Tw3rp

unread,
Aug 1, 2018, 1:02:21 PM8/1/18
to Vault
Hi Jeff,

The read only policy is attached in the above post as well.

Thanks

Jeff Mitchell

unread,
Aug 1, 2018, 4:57:20 PM8/1/18
to Vault
Please stick to a single thread.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7691d4d5-0853-45aa-88ec-fbe2fa8add80%40googlegroups.com.

Tw3rp

unread,
Aug 1, 2018, 6:15:56 PM8/1/18
to Vault
Sorry about that someone else opened another thread I'll continue there
Reply all
Reply to author
Forward
0 new messages