Skip to content

Instantly share code, notes, and snippets.

@greenbrian

greenbrian/HashiCorp Vault - methods of writing ACL policies

Last active June 13, 2024 13:35
Show Gist options
  • Save greenbrian/a58cd7d0db980f0106035f8334c8cdea to your computer and use it in GitHub Desktop.
Save greenbrian/a58cd7d0db980f0106035f8334c8cdea to your computer and use it in GitHub Desktop.
Download ZIP
HashiCorp Vault - methods of writing ACL policies
Raw
HashiCorp Vault - methods of writing ACL policies
There are many methods for writing Vault policies.
This gist was created to collect the most common methods
such that they can be easily used as references for syntax,
as well as evaluation for which method suits a particular purpose.
TODO:
- Add complex policy examples
- Add @json.file examples
- Add httpie examples
Raw
Terraform.hcl
resource "vault_policy" "example" {
name = "basic"
policy = "${file("policies/basic.hcl")}"
}
# contents of basic.hcl
path "sys/renew/*" {
capabilities = ["update"]
}
# Allow renewal of token leases
path "auth/token/renew/*" {
capabilities = ["update"]
}
Raw
Using Curl - JSON body
curl \
--silent \
--header "X-Vault-Token: root" \
--request POST \
--data '{"rules":"path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}"}' \
http://127.0.0.1:8200/v1/sys/policy/test
# read back policy
curl \
--silent \
--header "X-Vault-Token: root" \
--request GET \
http://127.0.0.1:8200/v1/sys/policy/test | jq '.rules'
"path \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n} \npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n} \npath \"auth/token/lookup-self\" {\n capabilities = [\"read\"]\n}"
Raw
Using Vault CLI - using stdin
echo '
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
' | vault policy-write user -
## read policy back
#$ vault policies user
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
Raw
Using Vault CLI - write using HCL file
echo '
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
' > policy.hcl
vault policy-write test2 policy.hcl
####################################################
# read back policy
#$ vault policies test2
path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
####################################################
vault read -format=json sys/policy/test2
{
"request_id": "dae10a3f-1334-9cb9-df2e-4571d32c6530",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"name": "test2",
"rules": "\npath \"secret/foo\" {\n capabilities = [\"list\",\"read\"]\n}\npath \"supersecret/*\" {\n capabilities = [\"list\", \"read\"]\n}\npath \"auth/token/lookup-self\" {\n capabilities = [\"create\", \"read\"]\n}\n\n"
},
"warnings": null
}
####################################################
vault read sys/policy/test2
Key Value
--- -----
name test2
rules path "secret/foo" {
capabilities = ["list","read"]
}
path "supersecret/*" {
capabilities = ["list", "read"]
}
path "auth/token/lookup-self" {
capabilities = ["create", "read"]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment