Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save greenbrian/a58cd7d0db980f0106035f8334c8cdea to your computer and use it in GitHub Desktop.
Save greenbrian/a58cd7d0db980f0106035f8334c8cdea to your computer and use it in GitHub Desktop.
HashiCorp Vault - methods of writing ACL policies
There are many methods for writing Vault policies.
This gist was created to collect the most common methods
such that they can be easily used as references for syntax,
as well as evaluation for which method suits a particular purpose.
TODO:
- Add complex policy examples
- Add @json.file examples
- Add httpie examples
resource "vault_policy" "example" {
name = "basic"
policy = "${file("policies/basic.hcl")}"
}
# contents of basic.hcl
path "sys/renew/*" {
capabilities = ["update"]
}
# Allow renewal of token leases
path "auth/token/renew/*" {
capabilities = ["update"]
}
curl \
--silent \
--header "X-Vault-Token: root" \
--request POST \
--data '{"rules":"path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}"}' \
http://127.0.0.1:8200/v1/sys/policy/test
# read back policy
curl \
--silent \
--header "X-Vault-Token: root" \
--request GET \
http://127.0.0.1:8200/v1/sys/policy/test | jq '.rules'
"path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}"
echo '
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
' | vault policy-write user -
## read policy back
#$ vault policies user
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
echo '
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
' > policy.hcl
vault policy-write test2 policy.hcl
####################################################
# read back policy
#$ vault policies test2
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
####################################################
vault read -format=json sys/policy/test2
{
"request_id": "dae10a3f-1334-9cb9-df2e-4571d32c6530",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"name": "test2",
"rules": "\npath \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n}\npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n}\npath \"auth/token/lookup-self\" {\n capabilities = [\"create\", \"read\"]\n}\n\n"
},
"warnings": null
}
####################################################
vault read sys/policy/test2
Key Value
--- -----
name test2
rules path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment