John Smith
Reputation: 11
How can I create a HashiCorp Vault policy that prevents users from destroying secret versions?
I have a policy that is given to new users who need the ability to create new secrets and new secret versions but they should not have the ability to delete secrets or secret versions. The snippet below prevents users from deleting a secret; however, they are still able to destroy every single secret version.
How can I prevent them from destroying a secret version using a policy?
# This section grants all access on "secrets/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "secrets/*" {
capabilities = ["create", "read", "update", "list"]
}
Upvotes: 0
Views: 1057
Answers (1)
John Smith
Reputation: 11
You can use the HashiCorp Vault API docs to figure this out: https://www.vaultproject.io/api/secret/kv/kv-v2.html https://github.com/hashicorp/vault/blob/master/website/source/docs/concepts/policies.html.md
# This section grants all access on "secrets/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "secrets/*" {
capabilities = ["create", "read", "update", "list"]
}
# This section explicitly denies the ability to destroy secret versions.
path "secrets/destroy/*" {
capabilities = ["deny"]
}
path "secrets/delete/*" {
capabilities = ["deny"]
}
Upvotes: 1
Related Questions
- How to get HashiCorp Vault policy right?
- HashiCorp Vault policy for create/delete namespace
- vault (hashicorp) add new policy to existing users/tokens
- How to prevent creating too many secrets in HashiCorp Vault
- Can I create a policy on Hashicorp Vault to allow token owners to only read their own secrets?
- Hashicorp vault - issue with 'personal vault' policies
- Policy per user in Vault
- Hashicorp Vault -- Create Auth Tokens Only, Don't read secrets
- Can user specify Vault's policies while creating his token from github?
- In Hashicorp Vault, how can I prevent "userpass" users from changing each others policies and passwords?