I have a problem with Vault from Hashicorp.
I have a server which is set up correctly (I can read from Vault without a problem!) and I connect to it via AppRole.
I have two use-cases which I want to implement.
- Create or Update a specific Secret via Code
- Delete Metadata of a Secret or Destroy Secret
I have 2 AppRoles. One for the first Use-Case and one for the second one.
- CreationAppRole
- DeletionAppRole
I have also 2 Policies which I created
- CreationPolicy
- DeletionPolicy
CreationPolicy:
It should only have the Create and Update Capabilities.
For that my policy looks like this which should allow the creation and updating of secrets to everything that is under: mountpath/data/path/to/secretfolder/. So e.g. the policy should allow me to add a secret under: mountpath/data/path/to/secretfolder/test/test . At least thats how I understand it.
path "mountpath/data/path/to/secretfolder/*" {
capabilities = ["create", "update"]
}
It is not working and I get an permission denied when I run my code in Java.
DeletionPolicy:
It should only have the delete capability.
For that my policy looks like this which should allow me to delete the metadata of a secret or destroy it completely. The Softdelete is not allowed in my case
path "mountpath/data/path/to/secretfolder/test/*" {
capabilities = ["read", "list", "delete", "update"]
}
path "mountpath/destroy/path/to/secretfolder/test/*" {
capabilities = ["delete"]
}
path "mountpath/metadata/path/to/secretfolder/test/*" {
capabilities = ["delete"]
}
I don’t know where my error is. Does anyone have an idea?
What I have done so far:
- I checked the link here and check how my policy could be wrong: https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2
- I checked that my AppRole has the correct policy assigned
R. Wingerath is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1