Skip to content

vault: post policy as HCL; find a more ergonomical approach for creating policies via the http api #16

Open
Open
vault: post policy as HCL; find a more ergonomical approach for creating policies via the http api#16
@noahehall

Description

@noahehall
noahehall
opened on Dec 24, 2022

C

  • we need the ability to write policies in HCL, with any level of complexity, and post those HCL policies to a vault server

T

  • dude you just need to convert the policy to a string with quotes escaped, see below

A

creating policy policy_admin_vault:
path "secret/*" { # kv-v2
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}

path "env/*" { # kv-v1
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo"]
}

path "sys/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "auth/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "database/*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}

path "pki*" {
  capabilities = [ "create", "read", "update", "delete", "list", "patch", "sudo" ]
}


[DEBUG] SCRIPT.VAULT.SH
------------
[url]: https://dev.nirv.ai:8300/v1/sys/policies/acl/policy_admin_vault
[args]: -H X-Vault-Token: hvs.EqX-Bzh2cy5yb1lkcXlraHhYWmlLY1R5U2FxcTdoTWo --data {
    "policy": 
        "

                path \"secret/*\" {   
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
                }
                path \"env/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\"]
                }
                path \"sys/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"auth/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"database/*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
                path \"pki*\" {  
                        capabilities = [ \"create\", \"read\", \"update\", \"delete\", \"list\", \"patch\", \"sudo\" ]
                }
        "
    }
------------

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    nirvai

    Status

    THE PITS

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions