Policy to look up an accessor
271 views
Skip to first unread message
Sergei Gerasenko
Jul 11, 2018, 2:57:59 PM7/11/18
to Vault
Hi,
I'm having trouble looking up accessors as a non-root user. What are the correct policies to enable that? Here's what I have:
To list accessors:
path "/auth/token/accessors/*" {
capabilities = ["read", "list"]
}
To look up an accessor:
path "/auth/token/lookup-accessor/*" {
capabilities = ["sudo"]
}
Thanks!
S
Brian Kassouf
Jul 11, 2018, 3:12:43 PM7/11/18
to vault...@googlegroups.com
Hi Sergei,
Could you try:
path "/auth/token/lookup-accessor/*" {
capabilities = ["sudo", "read"]
}
You need to provide both sudo and the action you want to do.
Best,
Brian
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9bef8b8d-d47e-47bf-b6b5-2d2485839d84%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Could you try:
path "/auth/token/lookup-accessor/*" {
capabilities = ["sudo", "read"]
}
You need to provide both sudo and the action you want to do.
Best,
Brian
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9bef8b8d-d47e-47bf-b6b5-2d2485839d84%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Sergei Gerasenko
Jul 11, 2018, 3:16:59 PM7/11/18
to Vault
Hi Brian,
Thanks for a quick reply. No, that didn't help unfortunately. Still 403.
Thanks!
Sergei
Sergei Gerasenko
Jul 11, 2018, 3:42:41 PM7/11/18
to Vault
Same problem with "/sys/mounts":
path "/sys/mounts/*" {
capabilities = ["sudo", "read", "list"]
}but getting:
URL: GET https://MYHOST:8200/v1/sys/mounts
Code: 403. Errors:
* permission deniedBrian Kassouf
Jul 11, 2018, 4:46:17 PM7/11/18
to vault...@googlegroups.com
Apologies, try:
path "/sys/mounts" {
capabilities = ["sudo", "list"]
}
path "/auth/token/lookup-accessor" {
capabilities = ["create", "update"]
}
The paths you are trying to access do not need a "/*" at the end. You
can see the paths over in our api docs:
https://www.vaultproject.io/api/system/mounts.html#list-mounted-secrets-engines
https://www.vaultproject.io/api/auth/token/index.html#list-accessors
https://www.vaultproject.io/api/auth/token/index.html#lookup-a-token-accessor
path "/sys/mounts" {
capabilities = ["sudo", "read", "list"]
}
path "/auth/token/accessors" {
}
capabilities = ["sudo", "list"]
}
path "/auth/token/lookup-accessor" {
capabilities = ["create", "update"]
}
The paths you are trying to access do not need a "/*" at the end. You
can see the paths over in our api docs:
https://www.vaultproject.io/api/system/mounts.html#list-mounted-secrets-engines
https://www.vaultproject.io/api/auth/token/index.html#list-accessors
https://www.vaultproject.io/api/auth/token/index.html#lookup-a-token-accessor
> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f87d0b05-260f-4fcc-a1e8-fba319aeb888%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Sergei Gerasenko
Jul 11, 2018, 5:06:13 PM7/11/18
to Vault
Hi Brian,
It worked! Except I did have to include the star on /auth/token/accessors. Are you sure it's not needed?
Thanks!!!
Sergei
Brian Kassouf
Jul 11, 2018, 6:24:30 PM7/11/18
to vault...@googlegroups.com
I don't believe it should be needed, but i'm glad you got it working!
Best,
Brian
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7a93d43e-f579-4531-a0ae-5fa7934a1874%40googlegroups.com.
Best,
Brian
Calvin Leung Huang
Jul 11, 2018, 6:44:13 PM7/11/18
to Vault
Sergei,
Can you try appending a slash and getting rid of the asterisk, and see if that works?
path "/auth/token/accessors/" {
capabilities = ["sudo", "list"]
}
Regards,
Calvin
Sergei Gerasenko
Jul 12, 2018, 10:20:33 AM7/12/18
to Vault
Calvin, that does work as well.
So why / and not /*?
Also why create+update on the lookup-accessor path?
Sergei Gerasenko
Jul 12, 2018, 10:26:22 AM7/12/18
to Vault
The only thing left is to figure out how to list policies. I've tried this so far:
path "/sys/policy" {
capabilities = [ "sudo", "list" ]
}Thanks much in advance!
Calvin Leung Huang
Jul 12, 2018, 10:31:42 AM7/12/18
to Vault
Sergei,
When you hit a LIST API endpoint, Vault will automatically append a trailing slash to the request URL since LIST always operates on a prefix. This means that in order of the ACL to match the request path, it must need that trailing slash on the path for the list capability check to pass. Specific reference to this behavior can be found in this section of the documentation.
If you are looking up a specific token by accessor you would hit the auth/token/lookup-accessor path which requires create/update permissions since that's a POST request.
Regards,
Calvin
Sergei Gerasenko
Jul 12, 2018, 10:42:54 AM7/12/18
to Vault
Cool, got it. Thanks so much, Calvin.
Calvin Leung Huang
Jul 12, 2018, 10:55:32 AM7/12/18
to Vault
Sergei,
To elaborate a bit more from my last post, and to answer your other question:
So why / and not /*?
The auth/token/accessors endpoint doesn't take in the accessor (or anything else) in the request path, which is why you don't need to glob (use the *).
The only thing left is to figure out how to list policies
For listing policies, try one of the following:
Older endpoint:
path "/sys/policy/" {
capabilities = [ "list" ]
}
# To allow for CLI (as of 0.10.3) `vault policy list`
path "/sys/policy" {
capabilities = [ "read" ]
}
Newer endpoint:
path "/sys/policies/acl/" {
capabilities = [ "list" ]
}Regards,
Calvin
Reply all
Reply to author
Forward
0 new messages