小贝子编程

分配了策略的用户无法访问 KV 版本 2 中的机密



我已经创建了一个kv(版本2)秘密引擎,安装在/secret:

$ vault secrets list
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_915b3383    per-token private secret storage
identity/     identity     identity_9736df92     identity store
secret/       kv           kv_8ba16621           n/a
sys/          system       system_357a0e34       system endpoints used for control, policy and debugging

我已经创建了一个策略,应该让管理员访问myproject中的所有内容:

$ vault policy read myproject
path "secret/myproject/*" {
capabilities = ["create","read","update","delete","list"]
}

我已经在适当的路径中创建了一个秘密(使用根令牌):

$ vault kv put secret/myproject/entry1 pass=pass
Key              Value
---              -----
created_time     2022-05-11T15:06:49.658185443Z
deletion_time    n/a
destroyed        false
version          1

我已经创建了一个用户,并为其分配了给定的策略:

$ vault token lookup
Key                 Value
---                 -----
accessor            CBnMF4i2cgadYoMNAX1YHaX6
creation_time       1652281774
creation_ttl        168h
display_name        userpass-myproject
entity_id           ad07640c-9440-c4a1-b668-ab0b8d07fe93
expire_time         2022-05-18T15:09:34.799969629Z
explicit_max_ttl    0s
id                  s.FO7PrOBdvC3KB85N46E05msi
issue_time          2022-05-11T15:09:34.799982017Z
meta                map[username:myproject]
num_uses            0
orphan              true
path                auth/userpass/login/myproject
policies            [default myproject]
renewable           true
ttl                 167h53m36s
type                service

然而,当我试图访问任何东西(列表,get),我得到一个403错误:

$ vault kv list secret/myproject
Error listing secret/metadata/myproject: Error making API request.
URL: GET https://example.vault/v1/secret/metadata/myproject?list=true
Code: 403. Errors:
* 1 error occurred:
* permission denied

$ vault kv get secret/myproject/entry1
Error reading secret/data/myproject/entry1: Error making API request.
URL: GET https://vault.private.gsd.sparkers.io/v1/secret/data/myproject/entry1
Code: 403. Errors:
* 1 error occurred:
* permission denied

当我将策略更改为此(将路径更改为secret/*)时,我可以访问所有内容:

$ vault policy read myproject
path "secret/*" {
capabilities = ["create","read","update","delete","list"]
}
$ vault kv get secret/myproject/entry1
====== Metadata ======
Key              Value
---              -----
created_time     2022-05-11T15:06:49.658185443Z
deletion_time    n/a
destroyed        false
version          1
==== Data ====
Key     Value
---     -----
pass    pass

我做错了什么?

您需要这样定义您的策略:

path "secret/metadata/myproject/*" {
capabilities = ["list"]
}
path "secret/data/myproject/*" {
capabilities = ["create","read","update","delete"]
}

因为在发动机v2时,kv list表示metadata, kv get表示data

不知道我怎么错过了这里的文档:https://www.vaultproject.io/docs/secrets/kv/kv-v2:

读写版本以data/path为前缀。

谢谢@Matt Schuchard

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium