Root policy in hcl for hashicorp vault

Question

Is this a hashicorp vault policy so that it allows access to any resource and path within vault? I'm looking to enable an admin policy without granting root token access to anyone for obvious security reasons.

path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

nope, no errors yet so it seems that this is working as a nice admin policy. — Wunderbread, Aug 21 '20 at 21:18

score 2 · Answer 1 · answered Nov 25 '20 at 14:41

2

Hoping this admin policy is just used in development/test environnement. For obvious security reasons, it seems really unsafe to distribute such policy to anyone.

The Vault root token was designed by Hashicorp to allow you to create specific users with controlled policies at the first configuration of your Vault.

After this step, no one should possess such privilege right.

answered Nov 25 '20 at 14:41

wawazerty

54
3

1

For anyone reading this, avoid using this policy within production. It's also worth noting that in 2020, this policy caused a bug where some UI components were still out of the granted permission. This should have since been resolved. – Wunderbread Oct 09 '21 at 20:48
@wawazerty I did just read that it's considered a best practice to revoke the root token and regenerate a temp root token when needed. This policy seems secure to me. When you say `For obvious security reasons, it seems really unsafe to distribute such policy to anyone` what do you mean? Having a root token seems more unsafe than having users with this policy applied. – Clintm May 02 '22 at 13:50
@Clintm I almost agree with you about "Having a root token seems more unsafe than having users with this policy applied". Yes it is better to have an user with this policy than directly use the root token. But if your Vault is used by several teams, is it normal that admins can read/write/destroy data related to all teams ? You should try to implement the principle of least privilege even for your admin users. – wawazerty May 03 '22 at 14:20
In this Hashicorp doc you can see an example of what an admin policy can be: https://learn.hashicorp.com/tutorials/vault/policies. – wawazerty May 03 '22 at 14:28

score 2 · Answer 2 · answered May 18 '22 at 13:50

I use this admin policy that is able to : - Read system health check - Create and manage ACL policies broadly across Vault - Enable and manage authentication methods broadly across Vault - Manage the Key-Value secrets engine enabled at secret/ path

path "sys/health"
{
  capabilities = ["read", "sudo"]
}


path "sys/policies/acl"
{
  capabilities = ["list"]
}


path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}


path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

path "sys/auth"
{
  capabilities = ["read"]
}


path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

path "sys/mounts"
{
  capabilities = ["read"]
}

score 0 · Answer 3 · answered May 04 '22 at 15:38

0

The policy @Wunderbread posted is the correct admin policy that can be applied to users without the need for a root token.

answered May 04 '22 at 15:38

Clintm

4,505
3
41
54

Root policy in hcl for hashicorp vault

3 Answers3