Vault uses policies to determine which secrets a client can see and what the user can do with them. Policies are deny by default in Vault and are evaluated as needed (i.e. lazy evaluation). As such the policy needs to be explicit about what access is granted.
To craft policies for a specific use case or deployment, consider reviewing HashiCorp’s own policy docs. These walk users through a basic workflow with examples for an admin and a provisioner.
Policies are written in JSON or HashiCorp’s Terraform language called HCL and contain a path and capabilities. See the HCL docs for more info on the syntax.
A simple policy to allow read access to a specific path looks like:
Policy path’s can also use the wild card
* to grant the desired capabilities
to anything in a path. As well as the
+ wildcard to match a directory path.
There are parameter constraint keys that offer fine control over what path can have. These include the following:
required_parameters: list of parameters that must be specified
allowed_parameters: whitelist a list of keys and values that are permitted
denied_parameters: blacklists a list of parameters and values
Finally, there are additional options for required
response wrapping TTLs
The capabilities options generally correspond to the HTTP verbs:
list. There are also
sudo for root-protected
deny to specifically disallow access.
On the CLI here are the equivilient commands:
There are two built-in policies that come with Vault:
The root policy allows a user to do anything with Vault. The policy itself cannot be modified or removed. When Vault is first set up the root token is either passed in or provided to the user. This token is used to login as the root user and do the initial setup. Afterward, the token should be revoked:
The default policy is included in all tokens and provides common permissions. However, the user can update the administrator could update the policy to restrict these further. Vault makes sure to say that future updates to Vault would not override any changes an admin makes.
With secrets stored and policies in place, it is time to grant access to the secrets!