The concept of sub-folders

[Sergei Gerasenko]

Hi,

I'm a bit confused the proper way to create a filesystem-like hierarchy of secrets with Vault. It seems that once I've created a backend, say '/test', I can't create subfolders underneath. The documentation talks only about the simple cases like this:

vault kv put /test/some_secret key=value

How do I store "some_secret" under /test/subfolder1/subfolder2 for example?

Thanks!

  Sergei

[Brian Kassouf]

Hi,

The key you provide is able to be any name you want, so you should be
able to do:
vault kv put test/subfolder1/subfolder2/some_secret key=value

You'll need to make sure the token you're using has the proper
policies to write to this path.

Best,
Brian

> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/6510f75f-90f5-4415-920c-c241dbf5e421%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Sergei Gerasenko]

It worked! Thank you, Brian!

[Sergei Gerasenko]

A quick follow-up question. Let's say I want to create a "users" backend so that it looks like this:

/users/user1/secret_x

/users/user2/secret_y

What should be the policies to enable user1 and user2 to read their own secrets only?

[Sergei Gerasenko]

I think this will work for user1 (as an example):

path "users/metadata/user1/" {
  capabilities = ["list"]
}

path "users/user1/*" {
  capabilities = ["read", "list", "update", "create", "delete"]
}

[Sergei Gerasenko]

Correction:

path "users/metadata/user1/" {
  capabilities = ["list"]
}



path "users/data/user1/*" {


  capabilities = ["read", "list", "update", "create", "delete"]
}




The "metadata" and "data" in the paths are due to version 2 of the kv backend.

[Brian Kassouf]

Hi Sergei,

You'll probably also want

path "users/metadata/user1/*" {
capabilities = ["list"]
}

but looks good other than that

Best,
Brian

> --
> This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/634101ce-d3ed-4290-ba04-ed9186c21f8c%40googlegroups.com.

[Sergei Gerasenko]

Ah, nice. What operation would require listing the metadata? So far, I haven't come across that situation. Thank you, Brian.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAJVN%2BhjxY-z_hDO-nKH5mx42XOCYZL%3Dy%3DeRbK95BL-5P4kffuQ%40mail.gmail.com.

[Sergei Gerasenko]

Brian, ignore my question. I do have that already. Didn't update the thread after I made the change :)

Thanks!!

On Thu, Jul 12, 2018 at 6:58 PM Brian Kassouf <bkas...@hashicorp.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAJVN%2BhjxY-z_hDO-nKH5mx42XOCYZL%3Dy%3DeRbK95BL-5P4kffuQ%40mail.gmail.com.