我在开发人员模式下在docker容器中本地运行Hashicorp Vault v1.1.0。我exec进入容器使用cli,我无法用策略和令牌完成基本的概念证明,这使我只能访问一个秘密。
下面是我使用秘密引擎v2采取的行动的记录。我在这做错了什么?
/ # VAULT_TOKEN=myroot vault kv enable-versioning secret/
Success! Tuned the secrets engine at: secret/
/ # VAULT_TOKEN=myroot vault kv put secret/message value=mypassword
Key Value
--- -----
created_time 2019-04-11T20:23:25.0149145Z
deletion_time n/a
destroyed false
version 5
/ # cat p.hcl
path "secret/message" {
capabilities = ["read"]
}
/ # VAULT_TOKEN=myroot vault policy write message-readonly p.hcl
Success! Uploaded policy: message-readonly
/ # VAULT_TOKEN=myroot vault token create -policy="message-readonly"
Key Value
--- -----
token s.hZNCq7Q5plwA4XjcGAcsd5tg
token_accessor vpcxkGMbDBswfJPTGzzfY4he
token_duration 768h
token_renewable true
token_policies ["default" "message-readonly"]
identity_policies []
policies ["default" "message-readonly"]
/ # VAULT_TOKEN=s.hZNCq7Q5plwA4XjcGAcsd5tg vault kv get secret/message
Error reading secret/data/message: Error making API request.
URL: GET http://127.0.0.1:1234/v1/secret/data/message
Code: 403. Errors:
* 1 error occurred:
* permission denied
/ #
在为KV后端版本2制定策略时,需要指定API路径,而不是“vault kv”使用的逻辑路径。您的政策应如下所示:
path "secret/data/message" {
capabilities = ["read"]
}
在制定KV2政策时,您需要注意一些其他的怪癖。有关更多信息,请参阅https://www.vaultproject.io/docs/secrets/kv/kv-v2.html。