transit: restricting encrypt and allowing decrypt

[Abdel Belkasri, PhD]

Hi there,

I am using transit to implement an encryption/decryption service. 

To allow user 'demo' to encrypt/decrypt I assign him these policies

path "transit/keys/demo" { policy="read" }

path "transit/keys/demo" { policy="write" }

path "transit/encrypt/demo" { policy="write" }

path "transit/decrypt/demo" { policy="write" }

However when authenticated as 'demo' to 'userpass' auth backend and issue

$ echo "Some Text" | base64 | vault write -f transit/encrypt/demo




I got error 403, access denied







why the policies are not honored? or how to assign encrypt/decrypt access?




Thanks

Abdel.

[Chris Hoffman]

Assuming you have the capability to lookup your own token, can you check vault read auth/token/lookup-self to ensure you have the roles you are expecting attached to the token.  There is also an error with your encrypt command line but that is not causing the access denied error.  Your encrypt command should be vault write transit/encrypt/demo plaintext=- to read from stdin.

Chris 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b428f486-7216-4d11-9a99-2467bbedccb8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.