API Policies
358 views
Skip to first unread message
david...@gmail.com
Oct 17, 2018, 3:45:18 AM10/17/18
to Vault
Hey,
I am trying to create an acl policy via the api in path /sys/policies/acl
The policy:
{
path: {
“secret/dir” : {
capabilities : [“read”, “write”]
}
}
}
I get the error: 400, policy parameter not supplied or empty.
Is the problem in the policy syntax?
Thanks in advance!
I am trying to create an acl policy via the api in path /sys/policies/acl
The policy:
{
path: {
“secret/dir” : {
capabilities : [“read”, “write”]
}
}
}
I get the error: 400, policy parameter not supplied or empty.
Is the problem in the policy syntax?
Thanks in advance!
Nathan Basanese
Oct 17, 2018, 3:01:50 PM10/17/18
to Vault
// , Did you get a chance to look at the Vault Docs?
https://duckduckgo.com/?q=create+vault+policy+with+vault+api
https://www.vaultproject.io/api/system/policies.html#create-update-acl-policy
https://duckduckgo.com/?q=create+vault+policy+with+vault+api
https://www.vaultproject.io/api/system/policies.html#create-update-acl-policy
The short answer is "No." In different forms, this has come up before at least a few times on the forum.
A quick search in a search engine shows that Vault does require policies sent over its API to use JSON:
But Vault's JSON schema for Vault Policies doesn't seem to match that for the rest of the HashiCorp tools, I guess.
The entire policy needs to go in one value, under the "policy": key.
Tools like hcl2json will NOT work for Vault policies:
But here's an example of a format that will work:
{
"policy": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]"
}
"policy": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]"
}
The Vault API for Policies expects a .hcl policy JSON-serialized as a single string.
Please refer to the post I made about this earlier:
And a Vault Policy .hcl file to Vault-compatible .json converter I made:
David Poalim
Oct 17, 2018, 3:14:22 PM10/17/18
to vault...@googlegroups.com
Well I think the post below confused me a little:
Thank you for your answer!
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9323e4da-9f4e-4a11-9414-dc9e5584fb05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages