Hashicorp Vault - Curl 失败权限被拒绝 - 无法删除秘密 - 使用策略创建具有删除功能和令牌的策略

Question

vault --version: Vault v1.9.2

我创建了一个策略文件，功能很少，尤其是delete：

# cat ~/.my_policy.hcl 
path "secret/*" {
  capabilities = ["create", "read", "update", "list", "delete"]
}

使用此文件创建新策略，我现在可以在 list 操作中看到该策略：

# vault policy write my-policy ~/.my_policy.hcl 
Success! Uploaded policy: my-policy

# vault policy list
default
my-policy
root

# vault policy read my-policy
path "secret/*" {
  capabilities = ["create", "read", "update", "list", "delete"]
}

使用上述策略创建了一个新令牌（因此我可以在 CURL -X DELETE 操作中使用它）：

# vault token create -policy=my-policy
Key                  Value
---                  -----
token                s.27T3cNB4PrHll9byc6tppHw9
token_accessor       C6mu2crjudeHVy5jijcFkF4K
token_duration       768h
token_renewable      true
token_policies       ["default" "my-policy"]
identity_policies    []
policies             ["default" "my-policy"]

但是，当我在我的策略文件中定义的文件夹路径中查看令牌的功能时，它显示了不同的策略root并显示deny

# vault token lookup s.27T3cNB4PrHll9byc6tppHw9
Key                 Value
---                 -----
accessor            C6mu2crjudeHVy5jijcFkF4K
creation_time       1678469133
creation_ttl        768h
display_name        token
entity_id           n/a
expire_time         2023-04-11T17:25:33.405537533Z
explicit_max_ttl    0s
id                  s.27T3cNB4PrHll9byc6tppHw9
issue_time          2023-03-10T17:25:33.405548806Z
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default my-policy]
renewable           true
ttl                 767h48m50s
type                service

# These should have shown my-policy than root
# This should have shown all policies having some capability at this path
# ----

# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9
root
# vault token capabilities secrets/*
root
# vault token capabilities secrets
root

# This should not give me deny when this token has the necessary policy 'my-policy' with 'delete' capability
# ----
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets/*
deny
# vault token capabilities s.27T3cNB4PrHll9byc6tppHw9 secrets
deny

错误信息：

# curl -k -s -X GET -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}

# curl -k -s -X DELETE -H 'X-Vault-Token: s.27T3cNB4PrHll9byc6tppHw9' https://vaultserver:8200/v1/secret/data/testA1/test
{"errors":["permission denied"]}

当直接使用 cmd 行查询 vault 时，看到 secret/testA1/test secret，它吐出：

{
  "ttl": "90d",
  "username": "test",
  "value": "KneelB4Me!YaRight"
}

Hashicorp Vault - Curl 失败权限被拒绝 - 无法删除秘密 - 使用策略创建具有删除功能和令牌的策略

问题描述投票：0回答：0

最新问题

Hashicorp Vault - Curl 失败权限被拒绝 - 无法删除秘密 - 使用策略创建具有删除功能和令牌的策略

问题描述 投票：0回答：0

最新问题

问题描述投票：0回答：0