// , What tools do you use to convert *.hcl Vault policies to *.json ? Do you use JSON maps?
1,414 views
Skip to first unread message
Nathan Basanese
Jun 26, 2018, 7:25:27 PM6/26/18
to Vault
// ,
I'm using the repo https://github.com/v6/super-duper-vault-train for some demonstrations.
After I've initialized the Vault cluster, I use the following files to set up a new policy.
policy.sh
#!/usr/bin/env bash
## Create a policy in Vault
VAULT_ADDR='http://192.168.13.37:8200'
curl -sk \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request PUT \
--data @admin.json \
"${VAULT_ADDR}/v1/sys/policy/${POLICY_NAME}"admin.hcl
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}I run hcltojson admin.hcl > admin.json.
admin.json
{
"path": {
"auth/*": {
"capabilities": [
"create",
"read",
"update",
"delete",
"list",
"sudo"
]
}
}
}I then get the following response when I actually run the script:
$ ./admin.sh
{"errors":["'policy' parameter not supplied or empty"]}
I modify admin.json to have a policy element.
admin.json
{
"policy": {
"path": {
"auth/*": {
"capabilities": [
"create",
"read",
"update",
"delete",
"list",
"sudo"
]
}
}
}
}I then end up with the following:
$ ./admin.sh
{"errors":["1 error occurred:\n\n* error converting input map[path:map[auth/*:map[capabilities:[create read update delete list sudo]]]] for field \"policy\": '' expected type 'string', got unconvertible type 'map[string]interface {}'"]}
Only when I serialize the policy as follows do I actually get a good response:
{
"policy": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]"
}$ ./admin.sh
$
I can even check the content of the policy:
$ curl -sk \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
"${VAULT_ADDR}/v1/sys/policy/admin" | jq
{
"name": "admin",
"rules": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]}",
"request_id": "d19a57cf-db05-9a80-d23b-8567fe3eb7d9",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"name": "admin",
"rules": "path \"auth/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]}"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
Is this normal for Vault? Should I use a different tool to change .hcl files to this serialization method? Is this specific to Vault?
Nathan Basanese
Jun 26, 2018, 7:52:58 PM6/26/18
to Vault
The questions "Is this normal for Vault?" and "Is this specific to Vault?" have their answers at the following places:
For the "Should I use a different tool to change .hcl files to this serialization method?" question, it looks like the answer so far is some combination of sed and jq.
Still, if anyone has a better idea, I'm listening.
Nathan Basanese
Jun 26, 2018, 8:12:18 PM6/26/18
to Vault
// , Behold, hcl2json, Policy Weirdness Edition™:
#!/usr/bin/env bash
REPLACED=$(cat $1 | tr -d '\n' | sed 's/\"/\\\"/g')
printf "{
\"policy\": \"${REPLACED}\"
}"
Nathan Basanese
Aug 9, 2018, 3:03:57 PM8/9/18
to Vault
// , Here's a Github Gist for this: https://gist.github.com/v6/f4683336eb1c4a6a98a0f3cf21e62df2
Geoff Webster
Aug 23, 2018, 1:47:23 AM8/23/18
to Vault
I've generally just stuck to HCL with Terraform or the Vault CLI. Natively supports comments and I find it much easier to read. I don't see a ton of examples around of directly working with JSON (or even this conversion case) that leads me to believe many people probably work/submit to Vault directly with HCL.
Reply all
Reply to author
Forward
0 new messages