我为需要创建新机密和新机密版本的新用户提供了一项策略,但是他们不应该具有删除机密或机密版本的能力。下面的代码段可防止用户删除机密;但是,他们仍然能够销毁每个秘密版本。
如何防止他们使用策略破坏秘密版本?
# This section grants all access on "secrets/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "secrets/*" {
capabilities = ["create", "read", "update", "list"]
}
# This section grants all access on "secrets/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "secrets/*" {
capabilities = ["create", "read", "update", "list"]
}
# This section explicitly denies the ability to destroy secret versions.
path "secrets/destroy/*" {
capabilities = ["deny"]
}
path "secrets/delete/*" {
capabilities = ["deny"]
}```