Created
August 27, 2021 19:03
-
-
Save chrishoffman/3bb4e343002becbd9da585f864139a79 to your computer and use it in GitHub Desktop.
Sentinel and Namespaces
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## Tools required | |
| # brew install oath-tools qrencode jq | |
| # Vault Enterprise binary in the PATH | |
| ## Vault Server Command (separate terminal) | |
| # VAULT_LICENSE=<vault license> vault server -dev -dev-root-token-id=root | |
| export VAULT_ADDR=http://127.0.0.1:8200 | |
| export VAULT_TOKEN=root | |
| # Create admin namespace | |
| vault namespace create admin | |
| # Create admin policy | |
| ADMIN_POLICY="path \"*\" { | |
| capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"] | |
| } | |
| " | |
| vault policy write admin - <<< $ADMIN_POLICY | |
| # Set up userpass | |
| vault auth enable userpass | |
| vault write auth/userpass/users/test_user password="password" policies=admin | |
| # Create Sentinel policy that blocks all access in the namespace | |
| SENTINEL_POLICY="main = rule { | |
| false | |
| } | |
| " | |
| VAULT_NAMESPACE=admin vault write sys/policies/egp/block-all \ | |
| policy=- \ | |
| paths="*" \ | |
| enforcement_level="hard-mandatory" <<< $SENTINEL_POLICY | |
| # Generate a token for logging in | |
| USER_TOKEN=$(vault login -format=json -method=userpass username=test_user password=password | \ | |
| jq -r .auth.client_token) | |
| # This fails due to the sentinel policy | |
| VAULT_TOKEN=$USER_TOKEN VAULT_NAMESPACE=admin vault secrets enable kv | |
| # The root namespace does not get affected by the sentinel policy | |
| VAULT_TOKEN=$USER_TOKEN vault secrets enable kv |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment